[squid-users] Peeking on TLS traffic: unknown cipher returned

Leandro Barragan lean0x2f at gmail.com
Sat Oct 22 13:35:58 UTC 2016 

Thanks a lot James, compiling Squid 3.5.22 using that specific commit
of LibreSSL worked as a charm! I no longer have that "unknown cipher
returned" errors. I do have some errors with a tiny amount of sites,
but I suppose its because of server-side misconfigurations that
LibreSSL simply don't like.


On 21 October 2016 at 13:01, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2016-10-21 09:58, Leandro Barragan wrote:
>>
>> James, thanks for your advice! I've read your email on this list about
>> LibreSSL. I tried to compile Squid with LibreSSL in the first place
>> because of what you wrote about ChaCha20. But unfortunately, I
>> couldn't, compilation stopped because of some obscure error.
>>
>> Do you remember what version of squid and libressl you used? BTW I
>> tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but
>> it doesn't work either, same error (unknown cipher)
>>
>> Thanks!
>>
>> On 21 October 2016 at 10:55, James Lay <jlay at slave-tothe-box.net> wrote:
>>>
>>> On 2016-10-20 20:15, Leandro Barragan wrote:
>>>>
>>>>
>>>> Thanks for your time Alex! I modified my original config based on Amos
>>>> recommendations, so I think now I have a more consistent peek & splice
>>>> config:
>>>>
>>>>  acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit
>>>>  ssl_bump peek all
>>>>  ssl_bump terminate TF
>>>>  ssl_bump splice all
>>>>
>>>> As you mentioned, terminate closes the connection, it doesn't serve an
>>>> error page (when it works, i.e. with reddit and twitter).
>>>>
>>>> I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the
>>>> same exact issue, even with this new config. Based on what you
>>>> explained, I think it's a OpenSSL problem and Squid can't do anything
>>>> about it. I have two reasons to believe that:
>>>>
>>>> 1) The "unknown cipher returned" error get's triggered on terminated
>>>> and non terminated (e.g. microsoft.com) sites, which makes me think it
>>>> has nothing to do with Squid ACLs.
>>>> 2) All problematic sites use a new cipher called "ChaCha20" (E.g.
>>>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys
>>>> online analyzer and TestSSLServer tool)
>>>>
>>>> A lot of sites are using this new cipher. I'm back at the beginning, I
>>>> will continue trying to compile Squid with patched versions of OpenSSL
>>>> or LibreSSL.
>>>>
>>>> Thanks!
>>>>
>>>> On 20 October 2016 at 01:01, Alex Rousskov
>>>> <rousskov at measurement-factory.com> wrote:
>>>>>
>>>>>
>>>>> On 10/19/2016 12:44 AM, Leandro Barragan wrote:
>>>>>
>>>>>>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher
>>>>>>> returned (1/-1/0)
>>>>>
>>>>>
>>>>>
>>>>>> I fail to see why is this happening. I only need to peek on the
>>>>>> connection and make a decision based on SNI,
>>>>>
>>>>>
>>>>>
>>>>> Please note that "peek and make a decision based on SNI" is not what
>>>>> your configuration tells Squid to do. Your configuration tells Squid to
>>>>> peek during step2, which means making a decision based on server
>>>>> certificates (and SNI).
>>>>>
>>>>>
>>>>>> I'm not Bumping, so I
>>>>>> don't understand why ciphers matter in my situation.
>>>>>
>>>>>
>>>>>
>>>>> The ciphers matter because Squid v3 uses OpenSSL parsers during step1,
>>>>> step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 (a
>>>>> little) and step3. It is possible to completely remove OpenSSL from
>>>>> step2 but there is currently no project to do that AFAIK.
>>>>>
>>>>>
>>>>>>> ssl_bump peek all step1
>>>>>>> ssl_bump peek all step2
>>>>>>> ssl_bump terminate face step3
>>>>>>> ssl_bump terminate twitter step3
>>>>>>> ssl_bump splice all step3
>>>>>
>>>>>
>>>>>
>>>>> BTW, "step1", "step2", and "step3" ACLs do nothing useful in the above
>>>>> config. You can safely remove them to arrive at the equivalent ssl_bump
>>>>> configuration.
>>>>>
>>>>>
>>>>> On 10/19/2016 07:42 AM, Amos Jeffries wrote:
>>>>>>
>>>>>>
>>>>>> Terminate means impersonating the server and responding to the client
>>>>>> with an HTTPS error page.
>>>>>
>>>>>
>>>>>
>>>>> Terminate means "close client and server connections immediately". The
>>>>> problem is not with the terminate action but with peeking (which relies
>>>>> on OpenSSL, especially during step2, especially in Squid v3).
>>>>>
>>>>>
>>>>> HTH,
>>>>>
>>>>> Alex.
>>>
>>>
>>>
>>> FWIW I've had great success with the git version of libressl and using
>>> the
>>> below:
>>>
>>> ./configure --prefix=/opt/libressl
>>>
>>> and for squid:
>>>
>>> ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl
>>> --enable-ssl-crtd
>>>
>>> James
>
>
> I'm currently using squid-3.5.22 and using the below git for libressl:
>
> commit b7ba692f72f232602efb3e720ab0510406bae69c
> Author: Brent Cook <bcook at openbsd.org>
> Date:   Wed Sep 14 23:40:10 2016 -0500
>
> What's the error you're getting when you try and compile?
>
>
> James
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list