[squid-users] Setting up a transparent http and https proxy server using squid 4.6
jean francois hasson
jfhasson at club-internet.fr
Sun Jan 3 18:15:00 UTC 2021
Hi,
After reading more information on this kind of error I captured a few
transactions with Wireshark running on the raspberry pi hosting squid
4.6 and opensll 1.1.1d. I captured some transactions when trying to
access ebay.fr which is currently not successful with the setup I have
with the error of inappropriate fallback mentioned below.
I am not familiar with TLS transactions so I will try to present a high
level view of the transactions between the raspberry pi and the ebay.fr
server. I hope you can guide me as to what I should focus on to
understand, if possible, the issue I have.
A bird's eye view of the transactions from Wireshark over time is :
23 0.175795327 192.168.1.32 192.168.1.1 DNS
71 Standard query 0x057e A www.ebay.fr
24 0.214678299 192.168.1.1 192.168.1.32 DNS
165 Standard query response 0x057e A www.ebay.fr CNAME
slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A 23.57.6.166
25 0.301067317 192.168.1.32 23.57.6.166 TCP
74 53934 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=365186690 TSecr=0 WS=128
26 0.302488046 192.168.1.32 23.57.6.166 TCP
74 53936 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=365186691 TSecr=0 WS=128
27 0.328959454 23.57.6.166 192.168.1.32 TCP
74 443 → 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460
SACK_PERM=1 TSval=3470404062 TSecr=365186690 WS=128
28 0.329115340 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718
TSecr=3470404062
29 0.329752684 192.168.1.32 23.57.6.166 TLSv1.2
583 Client Hello
30 0.330530288 23.57.6.166 192.168.1.32 TCP
74 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460
SACK_PERM=1 TSval=3470404064 TSecr=365186691 WS=128
31 0.330644819 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719
TSecr=3470404064
32 0.331192579 192.168.1.32 23.57.6.166 TLSv1.2
583 Client Hello
35 0.351054404 192.168.1.32 192.168.1.98 TCP
54 5900 → 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0
36 0.363323884 23.57.6.166 192.168.1.32 TCP
66 443 → 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096
TSecr=365186719
37 0.364291801 23.57.6.166 192.168.1.32 TLSv1.2
1514 Server Hello
38 0.364347270 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186753 TSecr=3470404096
39 0.365482999 23.57.6.166 192.168.1.32 TCP
1514 443 → 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
40 0.365535030 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186754 TSecr=3470404096
41 0.366217999 23.57.6.166 192.168.1.32 TCP
1266 443 → 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
42 0.366279041 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186755 TSecr=3470404096
43 0.366321697 23.57.6.166 192.168.1.32 TCP
74 [TCP Retransmission] 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160
Len=0 MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128
44 0.366410135 192.168.1.32 23.57.6.166 TCP
66 [TCP Dup ACK 31#1] 53936 → 443 [ACK] Seq=518 Ack=1 Win=64256
Len=0 TSval=365186755 TSecr=3470404064
45 0.366709770 23.57.6.166 192.168.1.32 TLSv1.2
991 Certificate, Certificate Status, Server Key Exchange, Server
Hello Done
46 0.366754978 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186756 TSecr=3470404097
47 0.369138676 23.57.6.166 192.168.1.32 TCP
66 443 → 53936 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404102
TSecr=365186720
48 0.370432739 23.57.6.166 192.168.1.32 TLSv1.2
1514 Server Hello
49 0.370506906 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186759 TSecr=3470404102
50 0.371401125 23.57.6.166 192.168.1.32 TCP
1514 443 → 53936 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448
TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
51 0.371449250 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186760 TSecr=3470404102
52 0.372385968 23.57.6.166 192.168.1.32 TCP
1266 443 → 53936 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200
TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
53 0.372438156 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186761 TSecr=3470404102
54 0.372859562 23.57.6.166 192.168.1.32 TLSv1.2
991 Certificate, Certificate Status, Server Key Exchange, Server
Hello Done
55 0.372905395 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186762 TSecr=3470404103
56 0.374064614 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186763 TSecr=3470404097
57 0.382856646 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186772 TSecr=3470404103
58 0.387044251 192.168.1.32 23.57.6.166 TCP
74 53938 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=365186776 TSecr=0 WS=128
59 0.401877325 192.168.1.32 23.57.6.166 TCP
74 53940 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1
TSval=365186791 TSecr=0 WS=128
60 0.402472117 23.57.6.166 192.168.1.32 TCP
66 443 → 53934 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0
TSval=3470404136 TSecr=365186763
61 0.402574981 192.168.1.32 23.57.6.166 TCP
66 53934 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0
TSval=365186791 TSecr=3470404136
62 0.410122326 23.57.6.166 192.168.1.32 TCP
66 443 → 53936 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0
TSval=3470404143 TSecr=365186772
63 0.410185971 192.168.1.32 23.57.6.166 TCP
66 53936 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0
TSval=365186799 TSecr=3470404143
64 0.415533941 23.57.6.166 192.168.1.32 TCP
74 443 → 53938 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460
SACK_PERM=1 TSval=3470404148 TSecr=365186776 WS=128
65 0.415615607 192.168.1.32 23.57.6.166 TCP
66 53938 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186804
TSecr=3470404148
66 0.416199514 192.168.1.32 23.57.6.166 TLSv1.2
583 Client Hello
67 0.429629098 23.57.6.166 192.168.1.32 TCP
74 443 → 53940 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460
SACK_PERM=1 TSval=3470404163 TSecr=365186791 WS=128
68 0.429722796 192.168.1.32 23.57.6.166 TCP
66 53940 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186819
TSecr=3470404163
69 0.430195036 192.168.1.32 23.57.6.166 TLSv1.2
583 Client Hello
70 0.449937225 23.57.6.166 192.168.1.32 TCP
66 443 → 53938 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404182
TSecr=365186805
71 0.451000037 23.57.6.166 192.168.1.32 TLSv1.2
1514 Server Hello
72 0.451064100 192.168.1.32 23.57.6.166 TCP
66 53938 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186840 TSecr=3470404183
73 0.451980194 23.57.6.166 192.168.1.32 TCP
1514 443 → 53938 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448
TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
74 0.452031756 192.168.1.32 23.57.6.166 TCP
66 53938 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186841 TSecr=3470404183
75 0.452935767 23.57.6.166 192.168.1.32 TCP
1266 443 → 53938 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200
TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
76 0.452991027 192.168.1.32 23.57.6.166 TCP
66 53938 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186842 TSecr=3470404183
77 0.453443475 23.57.6.166 192.168.1.32 TLSv1.2
991 Certificate, Certificate Status, Server Key Exchange, Server
Hello Done
78 0.453498215 192.168.1.32 23.57.6.166 TCP
66 53938 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186842 TSecr=3470404184
79 0.461625715 192.168.1.32 23.57.6.166 TCP
66 53938 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186850 TSecr=3470404184
80 0.463463320 23.57.6.166 192.168.1.32 TCP
66 443 → 53940 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404196
TSecr=365186819
81 0.464344413 23.57.6.166 192.168.1.32 TLSv1.2
1514 Server Hello
82 0.464433476 192.168.1.32 23.57.6.166 TCP
66 53940 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186853 TSecr=3470404197
83 0.465538632 23.57.6.166 192.168.1.32 TCP
1514 443 → 53940 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448
TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
84 0.465628789 192.168.1.32 23.57.6.166 TCP
66 53940 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186854 TSecr=3470404197
85 0.466298945 23.57.6.166 192.168.1.32 TCP
1266 443 → 53940 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200
TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
86 0.466437851 192.168.1.32 23.57.6.166 TCP
66 53940 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186855 TSecr=3470404197
87 0.467042591 23.57.6.166 192.168.1.32 TLSv1.2
991 Certificate, Certificate Status, Server Key Exchange, Server
Hello Done
88 0.467190976 192.168.1.32 23.57.6.166 TCP
66 53940 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186856 TSecr=3470404197
I start my description with a Client Hello step from the raspberry pi to
the ebay.fr server :
No. Time Source Destination Protocol Length Info
29 0.329752684 192.168.1.32 23.57.6.166 TLSv1.2
583 Client Hello
...
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303)
Then, there is another Client Hello step which seems quite similar to
the previous one :
No. Time Source Destination Protocol Length Info
32 0.331192579 192.168.1.32 23.57.6.166 TLSv1.2
583 Client Hello
...
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303)
Then a Server Hello :
No. Time Source Destination Protocol Length Info
37 0.364291801 23.57.6.166 192.168.1.32 TLSv1.2
1514 Server Hello
...
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 78
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 74
Version: TLS 1.2 (0x0303)
Random:
08f25b54bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
GMT Unix Time: Oct 4, 1974 08:40:20.000000000
Paris, Madrid (heure d’été)
Random Bytes:
bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(0xc02f)
...
So it seems the server found a common cipher with the client. I am not
sure then what to look for. Frames 43 and 44 are detected by Wireshark
as retransmissions but I am not sure it is a problem.
I noticed frame 45 which is about the Certificate, Certificate Status,
Server Key Exchange and Server Hello Done
No. Time Source Destination Protocol Length Info
45 0.366709770 23.57.6.166 192.168.1.32 TLSv1.2
991 Certificate, Certificate Status, Server Key Exchange, Server
Hello Done
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4102
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
...
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate Status
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 479
Handshake Protocol: Certificate Status
Handshake Type: Certificate Status (22)
Length: 475
Certificate Status Type: OCSP (1)
OCSP Response Length: 471
OCSP Response
...
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 333
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 329
EC Diffie-Hellman Server Params
...
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
...
I noticed there is a mention of Diffie-Hellman which may require some
attention but I am not sure.
I am sorry for all this information but I really look forward to knowing
more and managing to sort this issue out. Is there anything in this
information that is relevant to understanding the issue I have ? Where
should I focus ?
Best regards,
JF
Le 02/01/2021 à 11:26, jean francois hasson a écrit :
>
> Hi,
>
> Thank you Amos Jeffries and Antony Stone. It seems the configuration I
> have provides the functionality of filtering I am looking for.
>
> There is a strange behavior I can see when accessing some legitimate
> sites which I see traces of in cache.log :
>
> 2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20
> 'squidGuard' processes
> 2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39:
> error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> inappropriate fallback (1/-1/0)
> 2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD
> 38: error:00000001:lib(0):func(0):reason(1) (1/-1)
> 2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38:
> error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> inappropriate fallback (1/-1/0)
> 2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD
> 35: error:00000001:lib(0):func(0):reason(1) (1/-1)
> 2021/01/02 10:57:40 kid1| Starting new redirector helpers...
> 2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20
> 'squidGuard' processes
> 2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51:
> error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> inappropriate fallback (1/-1/0)
> 2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD
> 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
> 2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51:
> error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> inappropriate fallback (1/-1/0)
> 2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD
> 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
>
> I noticed other users of squid encountered similar issues but I did
> not find a clear answer to the issue. Is there a problem with my setup
> ? I am not sure to be able to solve it on my own ! Any help would be
> appreciated.
>
> Best regards,
>
> JF Hasson
>
> Le 31/12/2020 à 10:14, Antony Stone a écrit :
>> On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:
>>
>>> If I set up on a device connected to the access point a proxy manually
>>> ie 10.3.141.1 on port 8080, I can access the internet. If I put the
>>> following rules for iptables to use in files rules.v4 :
>>>
>>> *nat
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
>>> 10.3.141.1:3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
>>> 10.3.141.1:3129
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
>>> -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
>> Try removing the DNAT rules above. You should be using REDIRECT for intercept
>> mode to work correctly.
>>
>>
>> Antony.
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210103/edcce258/attachment-0001.htm>
More information about the squid-users
mailing list