[squid-users] SSL Bump issues

Mon Mar 20 07:19:54 UTC 2017

Ignoring the Squid part, is it TLS 1.2 that's the root problem, or the 
ciphers?
Are you aware XP schannel.dll has some ciphers and protocols disabled by 
default, even though they're supported?

See here: 
https://support.microsoft.com/en-au/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll

TB

On 20/03/2017 12:58 PM, mr_jrt wrote:
> Hello all,
>
> Brief version:
> Can't get ssl_bump working to get an old XP system's schannel.dll (i.e.
> built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has
> it's own SSL stack).
>
> Long version:
> This afternoon's task was to try and solve the issue of an old internal
> legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but
> needs to be able to speak to servers running TLS 1.2. I've tried several
> approaches, but using squid with ssl_bump seemed to be the most appropriate
> solution, but for the life of me, I've not been able to get it to work
> properly, so was hoping for a few pointers.
>
> The software that needs to run uses the built-in schannel dll, but it can
> have a proxy specified, so things don't have to be transparent, ...but it
> does get stuck with all the limitations of the ancient schannel dll. Does
> however mean I can use the system's IE for testing.
>
> First up, I'm running Debian on my squid server. That means the distro
> packages don't have ssl support compiled in, so I had to compile my own
> packages. The version is 3.5.23, and the relevant configure output is:
>
>
>
> I had to compile against the older version of openssl due to the changes in
> their locking API, so I installed
> https://packages.debian.org/stretch/libssl1.0-dev, which enabled me to
> compile successfully.
>
> I've looked at countless examples, i.e.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> ...but the only way I've got any successful SSL proxying is with:
>
>
> ...but as expected, that's clearly not doing any bumping from the logs:
>
>
>
> When I put anything more in, i.e.
>
>
> Then it turns on the mode:
>
>
> ...but then I just get errors about no ciphers:
>
>
> I have a test site I'm using that I can fiddle with the ciphers on, and I
> can access it fine from the legacy system directly when I enable the old
> stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or
> maybe, decryption from the client?) that isn't working as it still won't
> connect regardless of what I try.
>
> Even if I throw in an explicit list of ciphers, copied from the target
> server (incidentally, the same host as squid, if that's relevant), still
> nada.
>
> Interestingly, ssl_bump seems to work perfectly fine from Firefox from the
> same machine, even when crippled down to TLS 1.0 only with the server set to
> restrict to TLS 1.2. So it seems to be doing what I want, just not for
> schannel.dll? I'm suspecting that openssl as used by squid can't speak any
> ciphers that schannel can, so it seems the issue isn't actually between
> squid and the target server, but between squid and the old client...
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-issues-tp4681843.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>