<div dir="ltr"><div>Thanks both for you help.<br></div>I'll try to make this changes and see if this solves my issues.<br><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature">Renato Jop<br></div></div>
<br><div class="gmail_quote">On Sat, Jun 25, 2016 at 10:32 AM, Yuri Voinov <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Amos, you are a wrong.<br>
<br>
No Squid-4. It's unstable and not ready for production. Whenever it's<br>
features.<br>
<br>
Some time ago I have the same issue and know what happens exactly.<br>
<br>
Skype initial connection site uses RC4 cipher. Which is disabled in most<br>
squid's configuration.<br>
<br>
To make it works (as by as most M$ update sites) it's require simple use<br>
this cipher's suite:<br>
<br>
HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
<br>
That works for me in 5 SSL bumped setups. There is no matter which squid<br>
version installed.<br>
<br>
<br>
25.06.2016 20:22, Amos Jeffries пишет:<br>
<div><div class="h5">> On 26/06/2016 1:19 a.m., Renato Jop wrote:<br>
>> Hello,<br>
>> I've configured squid to filter both HTTP and HTTPS traffic and for the<br>
>> most part the squid server is working correctly, however, I am always<br>
>> unable to login with skype. Skype does send all the requests through the<br>
>> suid server, but looking into the cache.log I always get a Error<br>
>> negotiating SSL connection on FD 12: error:1408A0C1:SSL<br>
>> routines:SSL3_GET_CLIENT_HELLO:no shared cipher.<br>
>> If I run: openssl s_client -crlf -connect <a href="http://157.55.56.164:443" rel="noreferrer" target="_blank">157.55.56.164:443</a> I get exactly<br>
>> the same error. However if I run: openssl s_client -crlf -connect<br>
>> <a href="http://157.55.56.164:443" rel="noreferrer" target="_blank">157.55.56.164:443</a> -tls1_2 -ssl2 I am able to connect.<br>
>> If I disable HTTPS, skype logins with no problems.<br>
>> I've searched on the mailing list archive and found that other people<br>
have<br>
>> had the same issues but none have been able to fix them. Is this a known<br>
>> issue with squid? Any help would be greatly appreciated.<br>
><br>
> Yes its known. Well two problems are known with Skype...<br>
><br>
> 1) Handling Skype cleanly through Squid with HTTPS interception (aka<br>
> SSL-Bump) currently requires features from Squid-4. Specifically the<br>
> on_unsupported_protocol feature to avoid having to bypass each IP<br>
> address your clients connect to manually (PITA) for the connections at<br>
> least some versions of it make that dont use TLS/SSL on port 443.<br>
><br>
> This does not seem to be your particular problem though. Maybe you will<br>
> hit it only after solving the "no shared cipher" problem.<br>
><br>
><br>
> 2) Recently a few people have been finding the "no shared cipher" issue<br>
> appearing with other software or domains. Last sighting of it turned out<br>
> to be the new ChaCha and Poly1305 ciphers. Which required a migration to<br>
> LibreSSL since OpenSSL implementation was still finding bugs as recently<br>
> as March this year.<br>
><br>
> But wait, theres more ...<br>
><br>
><br>
><br>
>> http_port <a href="http://175.15.2.239:8080" rel="noreferrer" target="_blank">175.15.2.239:8080</a> ssl-bump generate-host-certificates=on<br>
>> dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem<br>
>> capath=/usr/local/share/certs/<br>
>><br>
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br>
>> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br>
>><br>
>> http_port <a href="http://127.0.0.1:8080" rel="noreferrer" target="_blank">127.0.0.1:8080</a> intercept ssl-bump generate-host-certificates=on<br>
>> dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem<br>
>> capath=/usr/local/share/certs/<br>
>><br>
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br>
>> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br>
>><br>
>> https_port <a href="http://127.0.0.1:3129" rel="noreferrer" target="_blank">127.0.0.1:3129</a> intercept ssl-bump<br>
generate-host-certificates=on<br>
>> dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem<br>
>> capath=/usr/local/share/certs/<br>
>><br>
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br>
>> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br>
>><br>
><br>
> It is easy to think that the above enables a lot of ciphers.<br>
><br>
> HOWEVER, most of them involve "EC" and that requires a curve to be<br>
> configured as well. You are using the dhparams= option instead of<br>
> tls-dh= option. Thus have not told Squid what Curve to use for any EC.<br>
> So most of those "allowed" ciphers are thus not working.<br>
><br>
> Which means you effectively have configured only this:<br>
><br>
><br>
cipher=EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br>
><br>
> I'm not sure right now how many ciphers "HIGH" enables with those<br>
> following rejections, but I'd bet its also not many.<br>
><br>
> That limited number of ciphers on your side of the TLS handshake may be<br>
> at least a big part of what is leading to "no shared cipher" situation.<br>
><br>
><br>
> You have a few things that might help there. In the order you should try<br>
> them:<br>
><br>
> * Using the tls-dh= option with a curve name. It might start working<br>
> with an EC cipher.<br>
><br>
> * Using an updated library with ChaCha and Poly1305 ciphers. In case the<br>
> other end only wants one of those. This should not require a rebuild of<br>
> Squid, but it might.<br>
><br>
> * An upgrade to Squid-4.<br>
><br>
><br>
><br>
>> sslproxy_capath /usr/local/share/certs/<br>
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br>
>> sslproxy_cipher<br>
>><br>
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br>
><br>
> Note: The outgoing connections might actually do the Elliptic Curves.<br>
> Since the server tells Squid what curve to use.<br>
><br>
>> sslproxy_cert_error allow all<br>
><br>
> Nasty. Anyone is allowed to hack your proxies outgoing connections and<br>
> do what they like to the TLS. You will ignore any security alerts or<br>
> errors TLS/SSL protocol uses to protect you.<br>
><br>
> So, whats the point of extending the acceptable CA with sslproxy_capath<br>
> if you are going to ignore the verification results?<br>
><br>
> Whats the point of TLS if anyone is allowed to break into the "secure"<br>
> connections?<br>
><br>
><br>
> Amos<br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
</div></div>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQEcBAEBCAAGBQJXbrIRAAoJENNXIZxhPexGirEH/AzlKxZRG7dBgzHTrFNwAJdS<br>
kO4Q1a18TsFRQLgC7nYuA2BQVVY7ORBDFYJ0z++Jb+wWFqqXYCWBrfeH0XSjPCoQ<br>
uTMJoKRBzIqb5ZXGs5/GlRvRvWBW2Q8wOPk9Ig4fPVJS9fMulXyaukemD+h8Nu1/<br>
UUzoZKtEQxH6ICLVgkJWrQSWvJNWzOSQ6vS9GZYxW4Pu7qnjNiXhx+mDN+ZUH6tf<br>
rCMKqBSIOOL1axf7Gt6wUn9ctu2Y9d/avYim5rsqRbJ4Th4P31QWhw3DOXKW/vDw<br>
avhXgThQgq2PsHcijeSZEccJUdD4vNlgPWJIxVDkjj6Ypy8TX+4fChpnMlXKa3Y=<br>
=Gvwa<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>