[squid-users] Peeking on TLS traffic: unknown cipher returned

James Lay jlay at slave-tothe-box.net
Fri Oct 21 13:55:41 UTC 2016 

On 2016-10-20 20:15, Leandro Barragan wrote:
> Thanks for your time Alex! I modified my original config based on Amos
> recommendations, so I think now I have a more consistent peek & splice
> config:
> 
>  acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit
>  ssl_bump peek all
>  ssl_bump terminate TF
>  ssl_bump splice all
> 
> As you mentioned, terminate closes the connection, it doesn't serve an
> error page (when it works, i.e. with reddit and twitter).
> 
> I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the
> same exact issue, even with this new config. Based on what you
> explained, I think it's a OpenSSL problem and Squid can't do anything
> about it. I have two reasons to believe that:
> 
> 1) The "unknown cipher returned" error get's triggered on terminated
> and non terminated (e.g. microsoft.com) sites, which makes me think it
> has nothing to do with Squid ACLs.
> 2) All problematic sites use a new cipher called "ChaCha20" (E.g.
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys
> online analyzer and TestSSLServer tool)
> 
> A lot of sites are using this new cipher. I'm back at the beginning, I
> will continue trying to compile Squid with patched versions of OpenSSL
> or LibreSSL.
> 
> Thanks!
> 
> On 20 October 2016 at 01:01, Alex Rousskov
> <rousskov at measurement-factory.com> wrote:
>> On 10/19/2016 12:44 AM, Leandro Barragan wrote:
>> 
>>>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher 
>>>> returned (1/-1/0)
>> 
>>> I fail to see why is this happening. I only need to peek on the
>>> connection and make a decision based on SNI,
>> 
>> Please note that "peek and make a decision based on SNI" is not what
>> your configuration tells Squid to do. Your configuration tells Squid 
>> to
>> peek during step2, which means making a decision based on server
>> certificates (and SNI).
>> 
>> 
>>> I'm not Bumping, so I
>>> don't understand why ciphers matter in my situation.
>> 
>> The ciphers matter because Squid v3 uses OpenSSL parsers during step1,
>> step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a
>> little) and step3. It is possible to completely remove OpenSSL from
>> step2 but there is currently no project to do that AFAIK.
>> 
>> 
>>>> ssl_bump peek all step1
>>>> ssl_bump peek all step2
>>>> ssl_bump terminate face step3
>>>> ssl_bump terminate twitter step3
>>>> ssl_bump splice all step3
>> 
>> BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above
>> config. You can safely remove them to arrive at the equivalent 
>> ssl_bump
>> configuration.
>> 
>> 
>> On 10/19/2016 07:42 AM, Amos Jeffries wrote:
>>> Terminate means impersonating the server and responding to the client
>>> with an HTTPS error page.
>> 
>> Terminate means "close client and server connections immediately". The
>> problem is not with the terminate action but with peeking (which 
>> relies
>> on OpenSSL, especially during step2, especially in Squid v3).
>> 
>> 
>> HTH,
>> 
>> Alex.

FWIW I've had great success with the git version of libressl and using 
the below:

./configure --prefix=/opt/libressl

and for squid:

./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl 
--enable-ssl-crtd

James

More information about the squid-users mailing list