[squid-users] Peeking on TLS traffic: unknown cipher returned

Leandro Barragan lean0x2f at gmail.com
Fri Oct 21 15:58:52 UTC 2016 

James, thanks for your advice! I've read your email on this list about
LibreSSL. I tried to compile Squid with LibreSSL in the first place
because of what you wrote about ChaCha20. But unfortunately, I
couldn't, compilation stopped because of some obscure error.

Do you remember what version of squid and libressl you used? BTW I
tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but
it doesn't work either, same error (unknown cipher)

Thanks!

On 21 October 2016 at 10:55, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2016-10-20 20:15, Leandro Barragan wrote:
>>
>> Thanks for your time Alex! I modified my original config based on Amos
>> recommendations, so I think now I have a more consistent peek & splice
>> config:
>>
>>  acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit
>>  ssl_bump peek all
>>  ssl_bump terminate TF
>>  ssl_bump splice all
>>
>> As you mentioned, terminate closes the connection, it doesn't serve an
>> error page (when it works, i.e. with reddit and twitter).
>>
>> I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the
>> same exact issue, even with this new config. Based on what you
>> explained, I think it's a OpenSSL problem and Squid can't do anything
>> about it. I have two reasons to believe that:
>>
>> 1) The "unknown cipher returned" error get's triggered on terminated
>> and non terminated (e.g. microsoft.com) sites, which makes me think it
>> has nothing to do with Squid ACLs.
>> 2) All problematic sites use a new cipher called "ChaCha20" (E.g.
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys
>> online analyzer and TestSSLServer tool)
>>
>> A lot of sites are using this new cipher. I'm back at the beginning, I
>> will continue trying to compile Squid with patched versions of OpenSSL
>> or LibreSSL.
>>
>> Thanks!
>>
>> On 20 October 2016 at 01:01, Alex Rousskov
>> <rousskov at measurement-factory.com> wrote:
>>>
>>> On 10/19/2016 12:44 AM, Leandro Barragan wrote:
>>>
>>>>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher
>>>>> returned (1/-1/0)
>>>
>>>
>>>> I fail to see why is this happening. I only need to peek on the
>>>> connection and make a decision based on SNI,
>>>
>>>
>>> Please note that "peek and make a decision based on SNI" is not what
>>> your configuration tells Squid to do. Your configuration tells Squid to
>>> peek during step2, which means making a decision based on server
>>> certificates (and SNI).
>>>
>>>
>>>> I'm not Bumping, so I
>>>> don't understand why ciphers matter in my situation.
>>>
>>>
>>> The ciphers matter because Squid v3 uses OpenSSL parsers during step1,
>>> step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a
>>> little) and step3. It is possible to completely remove OpenSSL from
>>> step2 but there is currently no project to do that AFAIK.
>>>
>>>
>>>>> ssl_bump peek all step1
>>>>> ssl_bump peek all step2
>>>>> ssl_bump terminate face step3
>>>>> ssl_bump terminate twitter step3
>>>>> ssl_bump splice all step3
>>>
>>>
>>> BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above
>>> config. You can safely remove them to arrive at the equivalent ssl_bump
>>> configuration.
>>>
>>>
>>> On 10/19/2016 07:42 AM, Amos Jeffries wrote:
>>>>
>>>> Terminate means impersonating the server and responding to the client
>>>> with an HTTPS error page.
>>>
>>>
>>> Terminate means "close client and server connections immediately". The
>>> problem is not with the terminate action but with peeking (which relies
>>> on OpenSSL, especially during step2, especially in Squid v3).
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>
>
> FWIW I've had great success with the git version of libressl and using the
> below:
>
> ./configure --prefix=/opt/libressl
>
> and for squid:
>
> ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl
> --enable-ssl-crtd
>
> James
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list