[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 4 05:17:59 UTC 2016


On 3/10/2016 8:11 p.m., Vieri wrote:
> 
> 
> Hi,
> 
> ----- Original Message -----
>> From: Yuri Voinov <yvoinov at gmail.com>
>> 
> 
>>> Why is Squid negotiating cipher RC4-MD5 which is reported
>>> "insecure" and unsupported by the google web site?> Because your
>>> antique client request it. XP desupported years ago.
> 
> [...]
>> Throw out XP and IE8 and set up W7 as minimum with IE10. I see no
>> other
> 
>> way. I am afraid that in this case, the cactus is too large and
>> inedible.
> 
> I agree that XP clients shouldn't be used anymore but it's easier
> said than done in corporate environments.
> 
> In any case, on a purely technical level, I don't know the internals
> of Squid and standard proxying protocols but if a Windows XP+IE8
> client has no problem whatsoever connecting directly (no proxy) to
> https://www.google.com but fails with Squid in the middle (ssl-bump)
> then that makes me think that it could be either a Squid bug or a
> missing feature 

TLS/SSL was designed to prevent MITM being done on the encrypted
traffic. When used properly that is exactly what it does.

SSL-Bump is an MITM process.

So the behaviour you see of "working" when no proxy bumping and "not
working" when proxy attempts to bump is exactly the way HTTPS was
designed to behave.

It is unreasonable to believe that working TLS behaviour is a bug in
Squid...

> Whatever the reason,
> for an end-user like me it seems that the XP client is able to
> negotiate TLS correctly with Google and presumably using the cipher
> DES-CBC3-SHA (maybe after failing with RC4-MD5 on a first attempt),
> whereas Squid immediately fails with RC4-MD5. It doesn't ever seem to
> try DES-CBC3-SHA even though it's available in openssl.

... in this case it might be. But not for the reasons stated. The
problem known so far is that RC4-MD5 cipher. Why it is not being used by
your OpenSSL library.

That could bear some further investigation. There may be things you need
to enable in the config passed to OpenSSL, or a different build of the
library needed. Something along those lines - Im just guessing here.

> 
> 
> So I guess I'll start forcing users to use Firefox on WinXP or any
> other sane OS. I just wanted to point out though that I'm still
> confused as to why the client connection is failing.

That sounds like a potentially workable option or at least workaround.

I hope the above explanations can alleviate your confusion a bit despite
not providing any answer to the problem.

Amos



More information about the squid-users mailing list