[squid-users] Gateway Proxy failure - but only with one browser ...

Alex Rousskov rousskov at measurement-factory.com
Wed Apr 29 18:41:52 UTC 2020 

On 4/29/20 2:16 PM, Walter H. wrote:
> It is very probable that the following has the same reason - but I don't
> know what's causing it ...

While your symptoms are a bit different, you might be suffering from the
problem fixed by https://github.com/squid-cache/squid/pull/588


> Handshake with SSL server failed: error:1407742E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version


> I thought that the SSL connection between browser and squid is different
> from the one between squid and server;

When staring or bumping, it is. However, "different" does not imply
"unrelated" (as discussed below).


> how can there be a SSL handshake problem between squid and server when
> using an old browser?

Depending on the conditions, Squid relays parts of the browser handshake
when talking to the server. For more (incomplete/stale) details, please
see the "Mimicking TLS Client Hello properties when staring" section at
https://wiki.squid-cache.org/Features/SslPeekAndSplice

IIRC, Squid mimics at least some properties because we wanted Squid to
"represent" the client to the server as faithfylly as possible (i.e.,
minimize Squid-introduced changes to the TLS-negotiated parameters). In
retrospect, I am not sure that was the right decision. Perhaps the
choice should be the opposite or configurable.

Please note that I am not trying to justify Squid actions. I am only
explaining why what you observe may be possible. One could argue that
Squid should not mimic the TLS client at all (when staring). I do not
recall whether anybody has tried to make that argument.


HTH,

Alex.


> On 29.04.2020 19:26, Walter H. wrote:
>> I have two squids,
>>
>> one does SSL bump (3.5latest CentOS 6)
>> the other doesn't SSL bump (3.4latest CentOS 6)
>>
>> everything works,
>>
>> I have a site that uses SSL/TLS, and two different browsers (one in a
>> VM with old windows),
>>
>> when I use the squid without SSL bump, the site works with both browsers,
>>
>> but when I use the squid with SSL bump, with the old browser I get a
>> "Gateway Proxy failure"
>>
>> the log shows this:
>>
>> host - - [29/Apr/2020:19:04:11 +0200] "CONNECT
>> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows;
>> U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
>> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
>> host - - [29/Apr/2020:19:04:11 +0200] "GET
>> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-"
>> "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217
>> Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info
>>
>> in compare to the log when using the other browser ...
>>
>> host - - [29/Apr/2020:19:05:53 +0200] "CONNECT
>> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1"
>> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
>> host - - [29/Apr/2020:19:05:53 +0200] "GET
>> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977
>> "https://ssl.mathemainzel.info/" "Mozilla/5.0 (Windows NT 10.0; Win64;
>> x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT
>> SNI:ssl.mathemainzel.info
>>
>> is this caused by the browser on old OS itself?
>>
>> squid.conf (of squid with SSL bump)
>>
>> reply_header_access Public-Key-Pins deny all
>>
>> reply_header_access Strict-Transport-Security deny all
>> reply_header_replace Strict-Transport-Security max-age=0;
>> includeSubDomains
>>
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"
>>
>> ssl_bump peek step1
>> ssl_bump splice nobumpsites
>> ssl_bump stare step2
>> ssl_bump bump all
>>
>> sslproxy_cafile /etc/squid/ca-bundle.trust.crt
>> sslproxy_cipher
>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
>>
>> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db
>> -M 16MB
>> sslcrtd_children 8
>>
>> http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem
>> options=NO_SSLv2,NO_SSLv3
>>
>>
>> Thanks,
>> Walter
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list