[squid-users] Skype Issues

Yuri Voinov yvoinov at gmail.com
Wed Jun 29 17:19:12 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
No, the problem in another place.

This option about ICQ, not about Skype.

29.06.2016 22:58, Renato Jop пишет:
> I've installed squid4 and the problems still persists. I've added the following acl:
> # define what Squid errors indicate receiving non-HTTP traffic:
> acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
> # define what Squid errors indicate receiving nothing:
> acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
> # tunnel everything that does not look like HTTP:
> on_unsupported_protocol tunnel foreignProtocol
> # tunnel if we think the client waits for the server to talk first:
> on_unsupported_protocol tunnel serverTalksFirstProtocol
> # in all other error cases, just send an HTTP "error page" response:
> on_unsupported_protocol respond all
>
> Renato Jop
>
> On Wed, Jun 29, 2016 at 8:21 AM, Renato Jop <renjop at gmail.com
<mailto:renjop at gmail.com>> wrote:
>
>     I've installed LibreSSL 2.2.9 and the issue still persists.
>     I think I am going to have install squid4 even if it's still in
beta to solve this issues.
>     Thanks for your help.
>
>
>     Renato Jop
>
>     On Mon, Jun 27, 2016 at 9:36 AM, Renato Jop <renjop at gmail.com
<mailto:renjop at gmail.com>> wrote:
>
>         Is there a way to verify that the SSL library doesn't support
SSLv3?
>
>         Renato Jop
>
>         On Mon, Jun 27, 2016 at 8:43 AM, Yuri <yvoinov at gmail.com
<mailto:yvoinov at gmail.com>> wrote:
>
>             Looks like your SSL library does not contain SSLv3
protocol support already, but site announce it.
>
>
>             27.06.2016 20:42, Renato Jop пишет:
>>             I removed the NO_SSLv2, NO_SSLv3 however, right before
the SSL3_GET_RECORD:wrong version number the SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
>>
>>             Renato Jop
>>
>>             On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoinov at gmail.com
<mailto:yvoinov at gmail.com>> wrote:
>>
>>                 Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2
already not supported everywhere, RC4/3DES is SSLv3 ciphers, so it can
be confuse software. I.e., you use custom ciphers/protocols
combinations, which can lead issue.
>>
>>
>>                 27.06.2016 20:25, Renato Jop пишет:
>>>                 Thank you both for your valuable help.
>>>                 I've configured the tls-dh param with a strong
Diffie-Hellman group (2048 bits) and configured the cipher as Yuri
specified and I was able to get pass the unknown cipher, however now I
get a "SSL routines:SSL3_GET_RECORD:wrong version number". Here's the
configuration I changed:
>>>                 
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
tls-dh=/usr/local/etc/squid/dhparams.pem
>>>
>>>
>>>
>>>                 Renato Jop
>>>
>>>                 On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov
<yvoinov at gmail.com <mailto:yvoinov at gmail.com>> wrote:
>>>
>>>
>
>
> 25.06.2016 <tel:25.06.2016> 23:09, Amos Jeffries пишет:
> > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
> >>
> >> Amos, you are a wrong.
> >>
> >> No Squid-4. It's unstable and not ready for production. Whenever it's
> >> features.
>
> > So some beta software has bugs therefore nobody should ever use it for
> > anything. I find that to be a strange and sad view of the world.
>
> > Care to guess why I listed it as the last option amongst several?
> >  Or why 4.0.11 exists as a beta still?
> > It *is* an option for the mentioned problem(s) though whatever its
> utility.
> Agreed.
>
>
>
> >>
> >> Some time ago I have the same issue and know what happens exactly.
> >>
> >> Skype initial connection site uses RC4 cipher. Which is disabled in
most
> >> squid's configuration.
>
> > Your "know what happens exactly" differs from at least two other peoples
> > debugging experiences with Skype.
>
> > RC4 is on the hitlist for most of the big vendors for the past year or
> > so. IIRC there were several Windows Updates to remove it and other
> > broken bits from a lot of things over the past year.
> > If Skype is still using RC4 it might be part of this problem.
> I'm sure this is problem and this problem exists. MS do nothing to make
> they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself
> this time. With strong siphers there is no way to setup WU via Squid.
> I've spent much time to identify this problem in my setup and find
> working workaround.
>
> Another part of problem is: MS often uses it's own self-signed roots,
> which is exists in Windows, but nowhere else. And which has not
> cross-signed by well-known root CA's. They think it make MS services
> more secure. They wrong. But we can't do anything with it. So, this is
> forced us to add self-signed MS roots to our Squid's CA bundles to
> bump/splice.
>
>
> >>
> >> To make it works (as by as most M$ update sites) it's require
simple use
> >> this cipher's suite:
> >>
> >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> >>
> >> That works for me in 5 SSL bumped setups. There is no matter which
squid
> >> version installed.
>
> > Thank you. Thats another option then. I'd rate that below trying the EC
> > ciphers, and above library updates.
> You are welcome.
>
> Just for information: MS has own IT infrastructure, with some strange
> configured and non well-managed elements. I can't guarantee this
> workaround will work everywhere or for every MS service.
>
> When I made my research, I've seen some strange security TLS
> combinations on MS sites/services. I.e., for example, RC4+ECDSA+TLSv1.2.
> Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
> potentially dangerous combinations. And - they support ignores all
> requests. As usual.
>
> To my regret, I can not order all of its users to abandon the use of
> Windows. So far, in my infrastructure have machines with Windows XP.
>
> With this nothing can be done, it is necessary only to weaken the
> security - for the sake of compatibility.
>
>
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>>>
>>>
>>>                     _______________________________________________
>>>                     squid-users mailing list
>>>                     squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>>>                     http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>
>>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdAMLAAoJENNXIZxhPexG418IAMQwpVRq1iFSGRCVAA9mIcHc
1ru7T00FRr3wKNrm6hCaeI3TgW9eAMguYG7wYbFqbOOZMWp0k/sFYqAGWwxhZGA4
+lEB/P5/+PJbg89MSYvTPjRrmf0XYtgwwCuZD+7oC0VSmdldhhaXgJYTi+lfVKZQ
p+P0X41y2Alfzjl2NqqJGN7Oyc35Av617YzsrjKN3MgSH6LDh+h7vhin75q/zXD8
TsRYAlqxsXAA5pvTbUrjVG7lruuavTGmKFpa79jZpkzlbkMEUW+088LeunkdP+V9
e2L6MlY6J10Jir3vwHFHYJJh4hbGYkJf4TdnZuV3itD937GebNOjqChMm8h7ER8=
=ThrU
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/d024605c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/d024605c/attachment.key>

More information about the squid-users mailing list