[squid-users] Peeking on TLS traffic: unknown cipher returned

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 19 13:42:02 UTC 2016 

On 19/10/2016 7:44 p.m., Leandro Barragan wrote:
> Hi!
> 
> I'm having trouble with SSL Peek & Splice in Squid 3.5.16 using

Please upgrade to 3.5.19 or later. Current is 3.5.22.

> intercept mode. I'm trying to configure a transparent proxy (no CA
> installed on clients) which denies access to specific sites. I
> understand that if I can't Bump (my case), then I can only use SNI
> information from TLS "Client Hello" on Step 2.

Correct.

> 
> Everything works OK with most sites, but when I try to connect to some
> sites like facebook.com or microsoft.com, clients can't connect and I
> get this error on cache.log:
> 
>> [...]
>> Error negotiating SSL on FD 111: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
>> [...]
> 
> Reading emails from this list, I came to the conclusion that this
> error is related to new ciphers (like ChaCha20) which are not
> supported by OpenSSL 1.0.1... So I tried to compile Squid using
> OpenSSL 1.1.0, which is not possible (bug #4599). I also tried to
> compile it using LibreSSL unsuccessfully.

A more current Squid (3.5.19+) and OpenSSL 1.0.2 latest should work. It
has for others.

> 
> I fail to see why is this happening. I only need to peek on the
> connection and make a decision based on SNI, I'm not Bumping, so I
> don't understand why ciphers matter in my situation.

Note that the sites you get this error on are the ones where "terminate"
action is configured to happen.

Terminate means impersonating the server and responding to the client
with an HTTPS error page.



> 
> My squid.conf:
> 
>> [...]
>> acl face ssl::server_name_regex -i facebook
>> acl twitter ssl::server_name_regex -i twitter
>>
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>>
>> sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>>
>> http_port 3128
>> http_port 3129 intercept
>> https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/myCA.pem options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>
>> sslproxy_capath /var/lib/ssl_db
>>
>> ssl_bump peek all step1
>> ssl_bump peek all step2

The use of "all" is redundant and useless in the above lines.

Since peek is only valid at step #1 and #2 anyway the "step1 and step2
are pointless.

>> ssl_bump terminate face step3
>> ssl_bump terminate twitter step3
>> ssl_bump splice all step3

The use of "step3" is redundant and useless.

Since ACL "face" and ACL "twitter" are of the same type and used as a
pair with the same action. You would be better off merging their values
under one ACL name.

Oh, and most content from facebook actually comes from the "fbcdn" domain.

You might as well configure:

 acl TF ssl::server_name_regex -i facebook fbcdn twitter
 ssl_bump peek all
 ssl_bump terminate TF
 ssl_bump splice all


Amos

More information about the squid-users mailing list