<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Looks like your SSL library does not contain SSLv3 protocol
support already, but site announce it.<br>
</p>
<br>
<div class="moz-cite-prefix">27.06.2016 20:42, Renato Jop пишет:<br>
</div>
<blockquote
cite="mid:CAHha_zUDWQEFJjWgupS55gibNxSZ=gy--CfvQesYoPv6akciDQ@mail.gmail.com"
type="cite">
<div dir="ltr">I removed the NO_SSLv2, NO_SSLv3 however, right
before the SSL3_GET_<a class="moz-txt-link-freetext" href="RECORD:wrong">RECORD:wrong</a> version number the SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">Renato
Jop<br>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Jun 27, 2016 at 8:29 AM, Yuri <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2
already not supported everywhere, RC4/3DES is SSLv3
ciphers, so it can be confuse software. I.e., you use
custom ciphers/protocols combinations, which can lead
issue.<br>
</p>
<br>
<div>27.06.2016 20:25, Renato Jop пишет:<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>Thank you both for your valuable help.<br>
</div>
I've configured the tls-dh param with a strong
Diffie-Hellman group (2048 bits) and configured
the cipher as Yuri specified and I was able to get
pass the unknown cipher, however now I get a "SSL
routines:SSL3_GET_<a moz-do-not-send="true">RECORD:wrong</a>
version number". Here's the configuration I
changed:<br>
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
tls-dh=/usr/local/etc/squid/dhparams.pem<br>
<br>
<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div data-smartmail="gmail_signature">Renato Jop<br>
</div>
</div>
<br>
<div class="gmail_quote">On Sat, Jun 25, 2016 at
11:34 AM, Yuri Voinov <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:yvoinov@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
<br>
<br>
</span><a moz-do-not-send="true"
href="tel:25.06.2016" value="+50225062016"
target="_blank">25.06.2016</a> 23:09, Amos
Jeffries пишет:<br>
<span>> On 26/06/2016 4:32 a.m., Yuri
Voinov wrote:<br>
>><br>
>> Amos, you are a wrong.<br>
>><br>
>> No Squid-4. It's unstable and not
ready for production. Whenever it's<br>
>> features.<br>
><br>
> So some beta software has bugs
therefore nobody should ever use it for<br>
> anything. I find that to be a strange
and sad view of the world.<br>
><br>
> Care to guess why I listed it as the
last option amongst several?<br>
> Or why 4.0.11 exists as a beta still?<br>
> It *is* an option for the mentioned
problem(s) though whatever its<br>
utility.<br>
</span>Agreed.<br>
<span>><br>
><br>
><br>
>><br>
>> Some time ago I have the same issue
and know what happens exactly.<br>
>><br>
>> Skype initial connection site uses
RC4 cipher. Which is disabled in most<br>
>> squid's configuration.<br>
><br>
> Your "know what happens exactly"
differs from at least two other peoples<br>
> debugging experiences with Skype.<br>
><br>
> RC4 is on the hitlist for most of the
big vendors for the past year or<br>
> so. IIRC there were several Windows
Updates to remove it and other<br>
> broken bits from a lot of things over
the past year.<br>
> If Skype is still using RC4 it might be
part of this problem.<br>
</span>I'm sure this is problem and this
problem exists. MS do nothing to make<br>
they sites/services more secure. BTW, MS
Updates uses RC4 ciphers itself<br>
this time. With strong siphers there is no way
to setup WU via Squid.<br>
I've spent much time to identify this problem
in my setup and find<br>
working workaround.<br>
<br>
Another part of problem is: MS often uses it's
own self-signed roots,<br>
which is exists in Windows, but nowhere else.
And which has not<br>
cross-signed by well-known root CA's. They
think it make MS services<br>
more secure. They wrong. But we can't do
anything with it. So, this is<br>
forced us to add self-signed MS roots to our
Squid's CA bundles to<br>
bump/splice.<br>
<span>><br>
><br>
>><br>
>> To make it works (as by as most M$
update sites) it's require simple use<br>
>> this cipher's suite:<br>
>><br>
>>
HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
>><br>
>> That works for me in 5 SSL bumped
setups. There is no matter which squid<br>
>> version installed.<br>
><br>
> Thank you. Thats another option then.
I'd rate that below trying the EC<br>
> ciphers, and above library updates.<br>
</span>You are welcome.<br>
<br>
Just for information: MS has own IT
infrastructure, with some strange<br>
configured and non well-managed elements. I
can't guarantee this<br>
workaround will work everywhere or for every
MS service.<br>
<br>
When I made my research, I've seen some
strange security TLS<br>
combinations on MS sites/services. I.e., for
example, RC4+ECDSA+TLSv1.2.<br>
Or, for example, RC4+MD5+TLSv1. And some
similar. Very idiotic and<br>
potentially dangerous combinations. And - they
support ignores all<br>
requests. As usual.<br>
<br>
To my regret, I can not order all of its users
to abandon the use of<br>
Windows. So far, in my infrastructure have
machines with Windows XP.<br>
<br>
With this nothing can be done, it is necessary
only to weaken the<br>
security - for the sake of compatibility.<br>
<span>><br>
><br>
> Amos<br>
>
_______________________________________________<br>
> squid-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:squid-users@lists.squid-cache.org"
target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a moz-do-not-send="true"
href="http://lists.squid-cache.org/listinfo/squid-users"
rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
</span><span>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z<br>
yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW<br>
OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS<br>
0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK<br>
3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF<br>
Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=<br>
=8BTp<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:squid-users@lists.squid-cache.org"
target="_blank">squid-users@lists.squid-cache.org</a><br>
<a moz-do-not-send="true"
href="http://lists.squid-cache.org/listinfo/squid-users"
rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>