[squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Rafael Akchurin rafael.akchurin at diladele.com
Fri Apr 28 16:00:53 UTC 2017


Hello David and all,

According to https://www.ssllabs.com/ssltest/analyze.html?d=www.boutique.afnor.org&hideResults=on you do not need to add any intermediate certificates  to system storage - site seems to be sending the whole chain as it should...

BUT the overall site SSL rating is so bad..

Raf

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of David Touzeau
Sent: Friday, April 28, 2017 10:14 AM
To: 'Yuri Voinov'; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

I'm fighting to find the correct certificate chain for this website:
https://www.boutique.afnor.org

I have also added all certificates included in this package:
https://packages.debian.org/fr/sid/ca-certificates


Do you have any tips to help ?

Best regards

-----Message d'origine-----
De : Yuri Voinov [mailto:yvoinov at gmail.com] Envoyé : jeudi 27 avril 2017 23:26 À : David Touzeau <david at articatech.com>; squid-users at lists.squid-cache.org Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Be careful with intermediate CA's you grabbed. Check they validity, fingerprints and attributes.

Proxying SSL requires much more work with Squid.


28.04.2017 3:12, David Touzeau пишет:
> Thanks Yuri
>
>  ! but i have still have the error " Error negotiating SSL on FD 13: 
> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to 
> site ( as i seen you can with your squid...??? )
Yes. With two different versions.
>
> Created a file /etc/squid3/cabundle.pem
>
> Added Symantec certificates available here:
> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id
> =INFO2047
>
> add
>
> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>
> and perform a squid -k reconfigure
>
> Missing something ???
May be. I'm recommend to re-initialize mimic certificates DB also and restart Squid, not reconfigure.

Keep in mind, that SSL bump critical important for success. For example, AFAIK stare often opposite to bump (in most cases). Read wiki article, but also remember this functionality still evolving, and can changed without notices. So, experiment.
>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:yvoinov at gmail.com] Envoyé : jeudi 27 avril
> 2017 22:52 À : David Touzeau <david at articatech.com>; 
> squid-users at lists.squid-cache.org Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)
>
> Squid can't have any intermediate certificates. As by as root CA's.
>
> You can use this:
>
> #  TAG: sslproxy_foreign_intermediate_certs
> #    Many origin servers fail to send their full server certificate
> #    chain for verification, assuming the client already has or can
> #    easily locate any missing intermediate certificates.
> #
> #    Squid uses the certificates from the specified file to fill in
> #    these missing chains when trying to validate origin server
> #    certificate chains.
> #
> #    The file is expected to contain zero or more PEM-encoded
> #    intermediate certificates. These certificates are not treated
> #    as trusted root certificates, and any self-signed certificate in
> #    this file will be ignored.
> #Default:
> # none
>
> However, you should identiry and collect them by yourself.
>
> The biggest problem:
>
> Instead of root CA's, which can be taken from Mozilla's, intermediate 
> CAs spreaded over CA's providers, have much shorter valid period (most 
> cases up to 5-7 years) and, by this reason, should be continiously 
> maintained by proxy admin.
>
> Also, remove this:
>
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
> From your config. Don't. Never. This is completely disable ANY 
> security checks for certificates, which leads to giant vulnerability to your users.
> ssl_proxy_cert_error should be restricted by very specific ACL(s) in 
> your config only for number of sites you trust.
>
> 28.04.2017 2:27, David Touzeau пишет:
>> Hi yuri
>>
>> I did not know if squid have Symantec intermediate certificate Squid 
>> is installed as default...
>> Any howto ?
>>
>>
>> -----Message d'origine-----
>> De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
>> De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>> squid-users at lists.squid-cache.org Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>
>> Look. It can be intermediate certificates issue.
>>
>> Does Squid have Symantec intermediate certificates?
>>
>>
>> 27.04.2017 22:47, David Touzeau пишет:
>>> Hi,
>>> I'm unable to access to https://www.boutique.afnor.org website.
>>> I would like to know if this issue cannot be fixed and must deny 
>>> bump website to fix it.
>>> Without Squid the website is correctly displayed
>>>
>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>
>>> In cache.log: "Error negotiating SSL on FD 17:
>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>
>>> Using the following configuration:
>>>
>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump 
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem 
>>> sslcrtd_program /lib/squid3/ssl_crtd -s 
>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>> startup=5
>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert 
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name 
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>> ssl_step3 at_step
>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump 
>>> bump ssl_step2 all ssl_bump splice all
>>>
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>> !aNULL
>>> :!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>>
>>>
>>>
>>> Openssl info
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> ---
>>>
>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, 
>>> OU = "(c)
>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
>>> 3 Public Primary Certification Authority - G5 verify return:1
>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust 
>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = 
>>> ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE 
>>> DE NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE 
>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE 
>>> NORMALISATION/CN=www.boutique.afnor.org
>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust 
>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>> CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust 
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public 
>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION 
>>> FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE 
>>> NORMALISATION/CN=www.boutique.afnor.org
>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust 
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 3105 bytes and written 616 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit 
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : AES128-SHA
>>>     Session-ID:
>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F50
>>> 8
>>> 0
>>> AA94F5
>>> D6B5955DD8DF06608416
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     Start Time: 1493311275
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 0 (ok)
>>> ---
>>> read:errno=0
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>

--
Bugs to the Future

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list