[squid-users] Peeking on TLS traffic: unknown cipher returned

Thu Oct 20 02:51:32 UTC 2016

Amos,

I really appreciate your answer and the time you took trying to
explain me the rules. I'm already compiling Squid 3.5.22 with OpenSSL
1.0.2j to see if that solves my issue.

Leaving aside the software version, it seems weird to me that I see
this behaviour not only on blocked (terminated) sites like facebook,
but in other sites too, like microsoft.com, which should only be
peeked (taking into account that I applied the config you recommended
me: peek all, terminate facebook&twitter, and splice all).
When I access microsoft.com, I get the unknown cipher error on Squid
but on the client I see a certificate error. When I look at the
certificate info, it is signed by Squid. It makes no sense at all.
Microsoft.com should be peeked and then spliced, not bumped. That
makes me think that I'm missing something else. I don't want to bump
at all, I just want to block sites by looking at SNI info.

Thanks

Leandro

On 19 October 2016 at 10:42, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 19/10/2016 7:44 p.m., Leandro Barragan wrote:
>> Hi!
>>
>> I'm having trouble with SSL Peek & Splice in Squid 3.5.16 using
>
> Please upgrade to 3.5.19 or later. Current is 3.5.22.
>
>> intercept mode. I'm trying to configure a transparent proxy (no CA
>> installed on clients) which denies access to specific sites. I
>> understand that if I can't Bump (my case), then I can only use SNI
>> information from TLS "Client Hello" on Step 2.
>
> Correct.
>
>>
>> Everything works OK with most sites, but when I try to connect to some
>> sites like facebook.com or microsoft.com, clients can't connect and I
>> get this error on cache.log:
>>
>>> [...]
>>> Error negotiating SSL on FD 111: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
>>> [...]
>>
>> Reading emails from this list, I came to the conclusion that this
>> error is related to new ciphers (like ChaCha20) which are not
>> supported by OpenSSL 1.0.1... So I tried to compile Squid using
>> OpenSSL 1.1.0, which is not possible (bug #4599). I also tried to
>> compile it using LibreSSL unsuccessfully.
>
> A more current Squid (3.5.19+) and OpenSSL 1.0.2 latest should work. It
> has for others.
>
>>
>> I fail to see why is this happening. I only need to peek on the
>> connection and make a decision based on SNI, I'm not Bumping, so I
>> don't understand why ciphers matter in my situation.
>
> Note that the sites you get this error on are the ones where "terminate"
> action is configured to happen.
>
> Terminate means impersonating the server and responding to the client
> with an HTTPS error page.
>
>
>
>>
>> My squid.conf:
>>
>>> [...]
>>> acl face ssl::server_name_regex -i facebook
>>> acl twitter ssl::server_name_regex -i twitter
>>>
>>> acl step1 at_step SslBump1
>>> acl step2 at_step SslBump2
>>> acl step3 at_step SslBump3
>>>
>>> sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>>>
>>> http_port 3128
>>> http_port 3129 intercept
>>> https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/myCA.pem options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>>
>>> sslproxy_capath /var/lib/ssl_db
>>>
>>> ssl_bump peek all step1
>>> ssl_bump peek all step2
>
> The use of "all" is redundant and useless in the above lines.
>
> Since peek is only valid at step #1 and #2 anyway the "step1 and step2
> are pointless.
>
>>> ssl_bump terminate face step3
>>> ssl_bump terminate twitter step3
>>> ssl_bump splice all step3
>
> The use of "step3" is redundant and useless.
>
> Since ACL "face" and ACL "twitter" are of the same type and used as a
> pair with the same action. You would be better off merging their values
> under one ACL name.
>
> Oh, and most content from facebook actually comes from the "fbcdn" domain.
>
> You might as well configure:
>
>  acl TF ssl::server_name_regex -i facebook fbcdn twitter
>  ssl_bump peek all
>  ssl_bump terminate TF
>  ssl_bump splice all
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users