[squid-users] Many google services IP addresses returns invalid2.invalid CN and Error negotiating SSL connection on FD

Eliezer Croitoru ngtech1ltd at gmail.com
Sun Jan 31 12:52:19 UTC 2021 

Hey Alex and Amos,

I have seen the next issue over and over.

2021/01/31 14:26:53 kid1| Error negotiating SSL connection on FD 47: error:00000001:lib(0):func(0):reason(1) (1/-1)
    connection: conn94248 local=216.58.211.194:443 remote=10.200.191.X:33718 flags=33
2021/01/31 14:27:53 kid1| Error negotiating SSL connection on FD 20: error:00000001:lib(0):func(0):reason(1) (1/-1)
    connection: conn94248 local=216.58.211.194:443 remote=10.200.191.X:33718 flags=33
^C⏎


# Testing for the IP SAN
root at px2-043 ~ [SIGINT]# /opt/tls-check-script/check-dns-san.sh 216.58.211.194 443
Can't use SSL_get_servername
depth=0 OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
verify error:num=18:self signed certificate
verify return:1
depth=0 OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
verify return:1
DONE

# Testing for the IP with google.com SNI
root at px2-043 ~# /opt/tls-check-script/check-dns-san.sh 216.58.211.194 443 google.com
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
DONE
X509v3 Subject Alternative Name:
    DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com
DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.
, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DN
*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn,
NS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.wear.gkecnapps.cn, DNS:*.youtube-nocookie.com, DNS:*
outube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.
ogle.cn, DNS:g.co, DNS:ggpht.cn, DNS:gkecnapps.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DN
www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be

And the next test is to verify which ciphers are available on this IP.:
root at px2-043 ~# /opt/tls-check-script/tls-check.rb 216.58.211.194 443 google.com
### Number of Ciphers to be tested: 66
### Timeout per test: 3
### Delay between tests: 1
Testing TLS_AES_256_GCM_SHA384...  NO, SSL_CTX_set_cipher_list
Testing TLS_CHACHA20_POLY1305_SHA256...  NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_GCM_SHA256...  NO, SSL_CTX_set_cipher_list
Testing TLS_AES_128_CCM_SHA256...  NO, SSL_CTX_set_cipher_list
Testing ECDHE-ECDSA-AES256-GCM-SHA384...  CONNECTED ~: TLS_AES_256_GCM_SHA384, NO, Secure Renegotiation IS NOT supported
Testing ECDHE-RSA-AES256-GCM-SHA384...  CONNECTED ~: TLS_AES_256_GCM_SHA384, NO, Secure Renegotiation IS NOT supported
Testing DHE-RSA-AES256-GCM-SHA384...  CONNECTED ~: TLS_AES_256_GCM_SHA384, NO, Secure Renegotiation IS NOT supported
Testing ECDHE-ECDSA-CHACHA20-POLY1305...  CONNECTED ~: TLS_AES_256_GCM_SHA384, NO, Secure Renegotiation IS NOT supported
^CTraceback (most recent call last):
        3: from /opt/tls-check-script/tls-check.rb:88:in `<main>'
        2: from /opt/tls-check-script/tls-check.rb:88:in `each'
        1: from /opt/tls-check-script/tls-check.rb:136:in `block in <main>'
/opt/tls-check-script/tls-check.rb:136:in `sleep': Interrupt

Which I stopped since most of the output is 
Testing XYZ(CIPHER)...  CONNECTED ~: TLS_AES_256_GCM_SHA384, NO, Secure Renegotiation IS NOT supported

This is probably what is causing the specific issues mentioned above.
I want to try and verify if in this specific session the SNI is known  by google.
Also if there is something that I can do to configure squid for it to work in some way.

I have seen this issue a lot in couple setups which … google services are being accessed from mobile devices or Google Chrome.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon

More information about the squid-users mailing list