[squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah adrian.m.miller at gmail.com
Thu Mar 2 02:59:08 UTC 2017


Decided to fiddle with it one last time....

If i change my cipher entries from

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

to

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

I get content from dl.xda-developers.com just fine

But i wont pretend i understand the cipher chain, or whether the change is
a good thing


On 2 March 2017 at 13:01, Adrian Miller <adrian.m.miller at gmail.com> wrote:

> >That command you used does not send data through the proxy. So that
> >confirms that the servers TLS is broken in a way unrelated to Squid.
>
> As that may be, when i go direct (sans proxy) i get thumbnails...no issues
> Toggle the proxy back on and no thumbnails, and opening an image link
> gives the
> error initially reported.
>
> (71) Protocol error (TLS code:
>  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> So both Ie and FF will just load anything from dl.xda-developers.com and
> not
> register an issue, but squid will refuse to load the content and generate
> the error
>
> >You need to locate the root CA and/or intermediate CA certificates used
> >to sign the domain servers certificate.
>
> >You then need to identify *why* they are not being trusted by your OS
> >library.
>
> >Be sure to determine whether the CA which is missing is actually
> >trustworthy before adding it to your trusted set. More than a few of the
> >CA which are around are not trusted because they have been hacked or
> >caught signing forged certificates they should not have.
>
> I aalways learn something when youre silly enough to reply :)
>
> When i ran dl.xda-developers.com through ssllabs (thanks google), it gave
> me a less than glowing report, including
> an incomplete cert chain (i say that like i understand it :) ) or as it
> put it:
>
> This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)
> <https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable>
> and exploitable. Grade set to F.
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107)
> <https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/>
> and insecure. Grade set to F.
> This server accepts RC4 cipher, but only with older browsers. Grade capped
> to B.  MORE INFO ยป
> <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what>
> This server's certificate chain is incomplete. Grade capped to B.
>
> Full report here for the curious: https://globalsign.ssllabs.
> com/analyze.html?d=dl.xda-developers.com&hideResults=on
>
> For a few thumbnails im not going to torture myself, maybe ill send the
> forum admin a note instead :)
>
> >PS.  EECDH will not work unless you configure a curve name in the
> >tls-dh= option. Just having dhparam.pem alone will only enable the less
> >secure DH ciphers.
>
> I did add a curve to the tls-dh param, im guessing tis correct, little
> info on which one to use (grabbing the list from my local openssl had me
> going what the hell)
>
> tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem
>
> Note: this made no difference whatsoever with my issue
>
> Cheers,
>
> Adrian Miller
>
>
>
> On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller at gmail.com> wrote:
>
>> Thanks Amos for the info, appreciate your tireless assistance for us
>> numpties :)
>>
>> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
>> ml-node+s1019090n4681642h47 at n4.nabble.com> wrote:
>>
>>> On 1/03/2017 4:58 a.m., stylemessiah wrote:
>>>
>>> > This is driving me nuts, its the only issue ive found running ssl bump
>>> on my
>>> > home network for eons
>>> >
>>> > I cant see image thumbnails on xda-developers...
>>> >
>>> > When i access a thread with them, i get text links, not thumbnails,
>>> and if i
>>> > click on the links i get the following:
>>> >
>>> >
>>> >     (71) Protocol error (TLS code:
>>> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>> >
>>> >     SSL Certficate error: certificate issuer (CA) not known:
>>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>>> >
>>> > I figured out by googling how to (i hope) trace the problem
>>> certificate via
>>> > s_client:
>>> >
>>> >
>>> > OpenSSL> s_client -showcerts -verify 32 -connect
>>> dl.xda-developers.com:443
>>> > verify depth is 32
>>> > CONNECTED(0000012C)
>>> > depth=0 CN = *.xda-developers.com
>>> > verify error:num=20:unable to get local issuer certificate
>>> > verify return:1
>>> > depth=0 CN = *.xda-developers.com
>>> > verify error:num=21:unable to verify the first certificate
>>> > verify return:1
>>>
>>> That command you used does not send data through the proxy. So that
>>> confirms that the servers TLS is broken in a way unrelated to Squid.
>>>
>>>
>>>
>>> > ---
>>> > Certificate chain
>>> >  0 s:/CN=*.xda-developers.com
>>> >    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>>> ...
>>>
>>> > ---
>>> > Server certificate
>>> > subject=/CN=*.xda-developers.com
>>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>>> > ---
>>> > No client certificate CA names sent
>>> > Peer signing digest: SHA512
>>> > Server Temp Key: ECDH, P-256, 256 bits
>>> > ---
>>> > SSL handshake has read 2067 bytes and written 302 bytes
>>> > Verification error: unable to verify the first certificate
>>>
>>> >
>>> > Ive found the intermediate bundle from RapidSS, and added it to my
>>> existing
>>> > pem bundle...no change
>>>
>>> You need to locate the root CA and/or intermediate CA certificates used
>>> to sign the domain servers certificate.
>>>
>>> You then need to identify *why* they are not being trusted by your OS
>>> library.
>>>
>>> Be sure to determine whether the CA which is missing is actually
>>> trustworthy before adding it to your trusted set. More than a few of the
>>> CA which are around are not trusted because they have been hacked or
>>> caught signing forged certificates they should not have.
>>>
>>>
>>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
>>> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>>> >
>>> > My sslbump related config lines are:
>>> >
>>> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
>>> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
>>>
>>> > capath=/cygdrive/e/Squid/etc/ssl
>>> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
>>> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
>>> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>>>
>>> PS.  EECDH will not work unless you configure a curve name in the
>>> tls-dh= option. Just having dhparam.pem alone will only enable the less
>>> secure DH ciphers.
>>>
>>> Amos
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> ------------------------------
>>> If you reply to this email, your message will be added to the discussion
>>> below:
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-
>>> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html
>>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL
>>> Intermediate Cert, click here
>>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
>>> .
>>> NAML
>>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>>
>>
>
>
> --
> I hate to advocate *drugs*, *alcohol*,* violence *or
> *insanity* to anyone, *but* they've *always* worked for* me*
>
> - Hunter S. Thompson
>



-- 
I hate to advocate *drugs*, *alcohol*,* violence *or
*insanity* to anyone, *but* they've *always* worked for* me*

- Hunter S. Thompson




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681647.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list