[squid-users] SSL Bump issues

[mr_jrt]

Hello all,

Brief version:
Can't get ssl_bump working to get an old XP system's schannel.dll (i.e.
built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has
it's own SSL stack).

Long version:
This afternoon's task was to try and solve the issue of an old internal
legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but
needs to be able to speak to servers running TLS 1.2. I've tried several
approaches, but using squid with ssl_bump seemed to be the most appropriate
solution, but for the life of me, I've not been able to get it to work
properly, so was hoping for a few pointers.

The software that needs to run uses the built-in schannel dll, but it can
have a proxy specified, so things don't have to be transparent, ...but it
does get stuck with all the limitations of the ancient schannel dll. Does
however mean I can use the system's IE for testing.

First up, I'm running Debian on my squid server. That means the distro
packages don't have ssl support compiled in, so I had to compile my own
packages. The version is 3.5.23, and the relevant configure output is:



I had to compile against the older version of openssl due to the changes in
their locking API, so I installed
https://packages.debian.org/stretch/libssl1.0-dev, which enabled me to
compile successfully.

I've looked at countless examples, i.e.
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

...but the only way I've got any successful SSL proxying is with:


...but as expected, that's clearly not doing any bumping from the logs:



When I put anything more in, i.e.


Then it turns on the mode:


...but then I just get errors about no ciphers:


I have a test site I'm using that I can fiddle with the ciphers on, and I
can access it fine from the legacy system directly when I enable the old
stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or
maybe, decryption from the client?) that isn't working as it still won't
connect regardless of what I try.

Even if I throw in an explicit list of ciphers, copied from the target
server (incidentally, the same host as squid, if that's relevant), still
nada.

Interestingly, ssl_bump seems to work perfectly fine from Firefox from the
same machine, even when crippled down to TLS 1.0 only with the server set to
restrict to TLS 1.2. So it seems to be doing what I want, just not for
schannel.dll? I'm suspecting that openssl as used by squid can't speak any
ciphers that schannel can, so it seems the issue isn't actually between
squid and the target server, but between squid and the old client...



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-issues-tp4681843.html
Sent from the Squid - Users mailing list archive at Nabble.com.