[squid-users] Peeking on TLS traffic: unknown cipher returned

James Lay jlay at slave-tothe-box.net
Sat Oct 22 13:52:57 UTC 2016 

Excellent...glad it worked.
James
On Sat, 2016-10-22 at 10:35 -0300, Leandro Barragan wrote:
> Thanks a lot James, compiling Squid 3.5.22 using that specific commit
> of LibreSSL worked as a charm! I no longer have that "unknown cipher
> returned" errors. I do have some errors with a tiny amount of sites,
> but I suppose its because of server-side misconfigurations that
> LibreSSL simply don't like.
> 
> 
> On 21 October 2016 at 13:01, James Lay <jlay at slave-tothe-box.net>
> wrote:
> > 
> > On 2016-10-21 09:58, Leandro Barragan wrote:
> > > 
> > > 
> > > James, thanks for your advice! I've read your email on this list
> > > about
> > > LibreSSL. I tried to compile Squid with LibreSSL in the first
> > > place
> > > because of what you wrote about ChaCha20. But unfortunately, I
> > > couldn't, compilation stopped because of some obscure error.
> > > 
> > > Do you remember what version of squid and libressl you used? BTW
> > > I
> > > tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch,
> > > but
> > > it doesn't work either, same error (unknown cipher)
> > > 
> > > Thanks!
> > > 
> > > On 21 October 2016 at 10:55, James Lay <jlay at slave-tothe-box.net>
> > > wrote:
> > > > 
> > > > 
> > > > On 2016-10-20 20:15, Leandro Barragan wrote:
> > > > > 
> > > > > 
> > > > > 
> > > > > Thanks for your time Alex! I modified my original config
> > > > > based on Amos
> > > > > recommendations, so I think now I have a more consistent peek
> > > > > & splice
> > > > > config:
> > > > > 
> > > > >  acl TF ssl::server_name_regex -i facebook fbcdn twitter
> > > > > reddit
> > > > >  ssl_bump peek all
> > > > >  ssl_bump terminate TF
> > > > >  ssl_bump splice all
> > > > > 
> > > > > As you mentioned, terminate closes the connection, it doesn't
> > > > > serve an
> > > > > error page (when it works, i.e. with reddit and twitter).
> > > > > 
> > > > > I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm
> > > > > having the
> > > > > same exact issue, even with this new config. Based on what
> > > > > you
> > > > > explained, I think it's a OpenSSL problem and Squid can't do
> > > > > anything
> > > > > about it. I have two reasons to believe that:
> > > > > 
> > > > > 1) The "unknown cipher returned" error get's triggered on
> > > > > terminated
> > > > > and non terminated (e.g. microsoft.com) sites, which makes me
> > > > > think it
> > > > > has nothing to do with Squid ACLs.
> > > > > 2) All problematic sites use a new cipher called "ChaCha20"
> > > > > (E.g.
> > > > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to
> > > > > Qualys
> > > > > online analyzer and TestSSLServer tool)
> > > > > 
> > > > > A lot of sites are using this new cipher. I'm back at the
> > > > > beginning, I
> > > > > will continue trying to compile Squid with patched versions
> > > > > of OpenSSL
> > > > > or LibreSSL.
> > > > > 
> > > > > Thanks!
> > > > > 
> > > > > On 20 October 2016 at 01:01, Alex Rousskov
> > > > > <rousskov at measurement-factory.com> wrote:
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > On 10/19/2016 12:44 AM, Leandro Barragan wrote:
> > > > > > 
> > > > > > > 
> > > > > > > > 
> > > > > > > > error:140920F8:SSL
> > > > > > > > routines:SSL3_GET_SERVER_HELLO:unknown cipher
> > > > > > > > returned (1/-1/0)
> > > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > I fail to see why is this happening. I only need to peek
> > > > > > > on the
> > > > > > > connection and make a decision based on SNI,
> > > > > > 
> > > > > > 
> > > > > > Please note that "peek and make a decision based on SNI" is
> > > > > > not what
> > > > > > your configuration tells Squid to do. Your configuration
> > > > > > tells Squid to
> > > > > > peek during step2, which means making a decision based on
> > > > > > server
> > > > > > certificates (and SNI).
> > > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > I'm not Bumping, so I
> > > > > > > don't understand why ciphers matter in my situation.
> > > > > > 
> > > > > > 
> > > > > > The ciphers matter because Squid v3 uses OpenSSL parsers
> > > > > > during step1,
> > > > > > step2, and step3. FWIW, Squid v4 uses OpenSSL parsers
> > > > > > during step2 (a
> > > > > > little) and step3. It is possible to completely remove
> > > > > > OpenSSL from
> > > > > > step2 but there is currently no project to do that AFAIK.
> > > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > > 
> > > > > > > > ssl_bump peek all step1
> > > > > > > > ssl_bump peek all step2
> > > > > > > > ssl_bump terminate face step3
> > > > > > > > ssl_bump terminate twitter step3
> > > > > > > > ssl_bump splice all step3
> > > > > > 
> > > > > > 
> > > > > > BTW, "step1", "step2", and "step3" ACLs do nothing useful
> > > > > > in the above
> > > > > > config. You can safely remove them to arrive at the
> > > > > > equivalent ssl_bump
> > > > > > configuration.
> > > > > > 
> > > > > > 
> > > > > > On 10/19/2016 07:42 AM, Amos Jeffries wrote:
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > Terminate means impersonating the server and responding
> > > > > > > to the client
> > > > > > > with an HTTPS error page.
> > > > > > 
> > > > > > 
> > > > > > Terminate means "close client and server connections
> > > > > > immediately". The
> > > > > > problem is not with the terminate action but with peeking
> > > > > > (which relies
> > > > > > on OpenSSL, especially during step2, especially in Squid
> > > > > > v3).
> > > > > > 
> > > > > > 
> > > > > > HTH,
> > > > > > 
> > > > > > Alex.
> > > > 
> > > > 
> > > > FWIW I've had great success with the git version of libressl
> > > > and using
> > > > the
> > > > below:
> > > > 
> > > > ./configure --prefix=/opt/libressl
> > > > 
> > > > and for squid:
> > > > 
> > > > ./configure --prefix=/opt --with-openssl=/opt/libressl --
> > > > enable-ssl
> > > > --enable-ssl-crtd
> > > > 
> > > > James
> > 
> > I'm currently using squid-3.5.22 and using the below git for
> > libressl:
> > 
> > commit b7ba692f72f232602efb3e720ab0510406bae69c
> > Author: Brent Cook <bcook at openbsd.org>
> > Date:   Wed Sep 14 23:40:10 2016 -0500
> > 
> > What's the error you're getting when you try and compile?
> > 
> > 
> > James
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161022/184e3e27/attachment-0001.html>

More information about the squid-users mailing list