<div dir="ltr"><div>Disregard last message, it seemed to work...once - quite possible i had the proxy toggled off at the time...sheesh<br><br></div>Reverted my cipher chain back to the original and leaving the hell alone, will send the site admin an email instead of fiddling further<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 March 2017 at 14:04, <span dir="ltr"><<a href="mailto:squid-users-request@lists.squid-cache.org" target="_blank">squid-users-request@lists.squid-cache.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send squid-users mailing list submissions to<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:squid-users-request@lists.squid-cache.org">squid-users-request@lists.<wbr>squid-cache.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:squid-users-owner@lists.squid-cache.org">squid-users-owner@lists.squid-<wbr>cache.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of squid-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: SSL Bump and Certificate issue - RapidSSL Intermediate<br>
Cert (stylemessiah)<br>
2. Re: Failed to shm_open (Amos Jeffries)<br>
3. Re: Failed to shm_open (Amos Jeffries)<br>
4. Re: SSL Bump and Certificate issue - RapidSSL Intermediate<br>
Cert (stylemessiah)<br>
5. Re: SSL Bump and Certificate issue - RapidSSL Intermediate<br>
Cert (stylemessiah)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Wed, 1 Mar 2017 09:03:47 -0800 (PST)<br>
From: stylemessiah <<a href="mailto:adrian.m.miller@gmail.com">adrian.m.miller@gmail.com</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] SSL Bump and Certificate issue - RapidSSL<br>
Intermediate Cert<br>
Message-ID:<br>
<CAOLOQx36wSy24sDDS-Qm=<wbr>BSAeGsS5oiT5kGK5kP7s=<a href="mailto:sMQEffpQ@mail.gmail.com">sMQEffpQ@<wbr>mail.gmail.com</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Thanks Amos for the info, appreciate your tireless assistance for us<br>
numpties :)<br>
<br>
On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <<br>
<a href="mailto:ml-node%2Bs1019090n4681642h47@n4.nabble.com">ml-node+s1019090n4681642h47@<wbr>n4.nabble.com</a>> wrote:<br>
<br>
> On 1/03/2017 4:58 a.m., stylemessiah wrote:<br>
><br>
> > This is driving me nuts, its the only issue ive found running ssl bump<br>
> on my<br>
> > home network for eons<br>
> ><br>
> > I cant see image thumbnails on xda-developers...<br>
> ><br>
> > When i access a thread with them, i get text links, not thumbnails, and<br>
> if i<br>
> > click on the links i get the following:<br>
> ><br>
> ><br>
> > (71) Protocol error (TLS code:<br>
> > X509_V_ERR_UNABLE_TO_GET_<wbr>ISSUER_CERT_LOCALLY)<br>
> ><br>
> > SSL Certficate error: certificate issuer (CA) not known:<br>
> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
> ><br>
> > I figured out by googling how to (i hope) trace the problem certificate<br>
> via<br>
> > s_client:<br>
> ><br>
> ><br>
> > OpenSSL> s_client -showcerts -verify 32 -connect<br>
> <a href="http://dl.xda-developers.com:443" rel="noreferrer" target="_blank">dl.xda-developers.com:443</a><br>
> > verify depth is 32<br>
> > CONNECTED(0000012C)<br>
> > depth=0 CN = *.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
> > verify error:num=20:unable to get local issuer certificate<br>
> > verify return:1<br>
> > depth=0 CN = *.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
> > verify error:num=21:unable to verify the first certificate<br>
> > verify return:1<br>
><br>
> That command you used does not send data through the proxy. So that<br>
> confirms that the servers TLS is broken in a way unrelated to Squid.<br>
><br>
><br>
><br>
> > ---<br>
> > Certificate chain<br>
> > 0 s:/CN=*.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
> ...<br>
><br>
> > ---<br>
> > Server certificate<br>
> > subject=/CN=*.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.<wbr>com</a><br>
> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
> > ---<br>
> > No client certificate CA names sent<br>
> > Peer signing digest: SHA512<br>
> > Server Temp Key: ECDH, P-256, 256 bits<br>
> > ---<br>
> > SSL handshake has read 2067 bytes and written 302 bytes<br>
> > Verification error: unable to verify the first certificate<br>
><br>
> ><br>
> > Ive found the intermediate bundle from RapidSS, and added it to my<br>
> existing<br>
> > pem bundle...no change<br>
><br>
> You need to locate the root CA and/or intermediate CA certificates used<br>
> to sign the domain servers certificate.<br>
><br>
> You then need to identify *why* they are not being trusted by your OS<br>
> library.<br>
><br>
> Be sure to determine whether the CA which is missing is actually<br>
> trustworthy before adding it to your trusted set. More than a few of the<br>
> CA which are around are not trusted because they have been hacked or<br>
> caught signing forged certificates they should not have.<br>
><br>
><br>
> > Added as a separate pem i.e. sslproxy_foreign_intermediate_<wbr>certs<br>
> > /cygdrive/e/Squid/etc/ssl/<wbr>extra-intermediate-CA.pem...no change<br>
> ><br>
> > My sslbump related config lines are:<br>
> ><br>
> > http_port <a href="http://127.0.0.1:3128" rel="noreferrer" target="_blank">127.0.0.1:3128</a> ssl-bump generate-host-certificates=on<br>
> > dynamic_cert_mem_cache_size=<wbr>10MB cert=/cygdrive/e/Squid/etc/<wbr>ssl/myCA.pem<br>
><br>
> > capath=/cygdrive/e/Squid/etc/<wbr>ssl<br>
> > cafile=/cygdrive/e/Squid/etc/<wbr>ssl/extra-intermediate-CA.pem<br>
> > tls-dh=/cygdrive/e/Squid/etc/<wbr>ssl/dhparam.pem<br>
> > options=NO_SSLv2,NO_SSLv3,<wbr>SINGLE_ECDH_USE<br>
><br>
> PS. EECDH will not work unless you configure a curve name in the<br>
> tls-dh= option. Just having dhparam.pem alone will only enable the less<br>
> secure DH ciphers.<br>
><br>
> Amos<br>
><br>
> ______________________________<wbr>_________________<br>
> squid-users mailing list<br>
> [hidden email] <http:///user/SendEmail.jtp?<wbr>type=node&node=4681642&i=0><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
><br>
><br>
> ------------------------------<br>
> If you reply to this email, your message will be added to the discussion<br>
> below:<br>
> <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/SSL-</a><br>
> Bump-and-Certificate-issue-<wbr>RapidSSL-Intermediate-Cert-<br>
> tp4681635p4681642.html<br>
> To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate<br>
> Cert, click here<br>
> <<a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/<wbr>template/NamlServlet.jtp?<wbr>macro=unsubscribe_by_code&<wbr>node=4681635&code=<wbr>YWRyaWFuLm0ubWlsbGVyQGdtYWlsLm<wbr>NvbXw0NjgxNjM1fDE5ODY3MjIyMDI=</a><wbr>><br>
> .<br>
> NAML<br>
> <<a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/<wbr>template/NamlServlet.jtp?<wbr>macro=macro_viewer&id=instant_<wbr>html%21nabble%3Aemail.naml&<wbr>base=nabble.naml.namespaces.<wbr>BasicNamespace-nabble.view.<wbr>web.template.NabbleNamespace-<wbr>nabble.view.web.template.<wbr>NodeNamespace&breadcrumbs=<wbr>notify_subscribers%21nabble%<wbr>3Aemail.naml-instant_emails%<wbr>21nabble%3Aemail.naml-send_<wbr>instant_email%21nabble%<wbr>3Aemail.naml</a>><br>
><br>
<br>
<br>
<br>
<br>
--<br>
View this message in context: <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681643.html" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/SSL-<wbr>Bump-and-Certificate-issue-<wbr>RapidSSL-Intermediate-Cert-<wbr>tp4681635p4681643.html</a><br>
Sent from the Squid - Users mailing list archive at Nabble.com.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 2 Mar 2017 06:19:27 +1300<br>
From: Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] Failed to shm_open<br>
Message-ID: <<a href="mailto:97f1176a-f88d-9fbf-28dc-a8c2341dc612@treenet.co.nz">97f1176a-f88d-9fbf-28dc-<wbr>a8c2341dc612@treenet.co.nz</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 2/03/2017 4:06 a.m., erdosain9 wrote:<br>
> Hi.<br>
> Now squid stop... abnormaly.<br>
><br>
> 2017/03/01 12:04:31 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'<br>
> processes<br>
> FATAL: Ipc::Mem::Segment::open failed to<br>
> shm_open(/squid-ssl_session_<wbr>cache.shm): (2) No such file or directory<br>
><br>
> Squid Cache (Version 3.5.20): Terminated abnormally.<br>
> CPU Usage: 0.095 seconds = 0.074 user + 0.021 sys<br>
> Maximum Resident Size: 134144 KB<br>
> Page faults with physical i/o: 0<br>
> 2017/03/01 12:04:31| Set Current Directory to /var/spool/squid<br>
><br>
> What is happend??<br>
><br>
<br>
One of three things, in order of likelihood:<br>
<br>
a) your OS does not have /dev/shm running.<br>
<br>
b) your Squid was not started with appropriate privileges to access<br>
/dev/shm and create the shared-memory area. ie root.<br>
<br>
c) a previous Squid process that was supposed to create that<br>
shared-memory area is not running.<br>
<br>
<br>
Amos<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 2 Mar 2017 06:24:35 +1300<br>
From: Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] Failed to shm_open<br>
Message-ID: <<a href="mailto:3245dc48-4a84-ffe4-5952-ee09921efd8f@treenet.co.nz">3245dc48-4a84-ffe4-5952-<wbr>ee09921efd8f@treenet.co.nz</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 2/03/2017 4:21 a.m., erdosain9 wrote:<br>
> no shared cipher<br>
<br>
Exactly what it says. There are no ciphers which both the client and<br>
the server are allowing to be used.<br>
<br>
One example of this is a client that only speaks SSLv2 and a server that<br>
speaks only TLS/1.3.<br>
<br>
You will have to dig a bit deeper to figure out what ciphers are needed.<br>
Unfortunately Squid does not have much useful debug information in this<br>
area yet.<br>
<br>
Amos<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Wed, 1 Mar 2017 17:57:30 -0800 (PST)<br>
From: stylemessiah <<a href="mailto:adrian.m.miller@gmail.com">adrian.m.miller@gmail.com</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] SSL Bump and Certificate issue - RapidSSL<br>
Intermediate Cert<br>
Message-ID:<br>
<CAOLOQx3n5MSOZHTiKSZJ8BfA=Q=<a href="mailto:LNd7KCVsncgLz2QZt0XaEOQ@mail.gmail.com">L<wbr>Nd7KCVsncgLz2QZt0XaEOQ@mail.<wbr>gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
>That command you used does not send data through the proxy. So that<br>
>confirms that the servers TLS is broken in a way unrelated to Squid.<br>
<br>
As that may be, when i go direct (sans proxy) i get thumbnails...no issues<br>
Toggle the proxy back on and no thumbnails, and opening an image link gives<br>
the<br>
error initially reported.<br>
<br>
(71) Protocol error (TLS code:<br>
X509_V_ERR_UNABLE_TO_GET_<wbr>ISSUER_CERT_LOCALLY)<br>
<br>
SSL Certficate error: certificate issuer (CA) not known:<br>
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
<br>
So both Ie and FF will just load anything from <a href="http://dl.xda-developers.com" rel="noreferrer" target="_blank">dl.xda-developers.com</a> and not<br>
register an issue, but squid will refuse to load the content and generate<br>
the error<br>
<br>
>You need to locate the root CA and/or intermediate CA certificates used<br>
>to sign the domain servers certificate.<br>
<br>
>You then need to identify *why* they are not being trusted by your OS<br>
>library.<br>
<br>
>Be sure to determine whether the CA which is missing is actually<br>
>trustworthy before adding it to your trusted set. More than a few of the<br>
>CA which are around are not trusted because they have been hacked or<br>
>caught signing forged certificates they should not have.<br>
<br>
I aalways learn something when youre silly enough to reply :)<br>
<br>
When i ran <a href="http://dl.xda-developers.com" rel="noreferrer" target="_blank">dl.xda-developers.com</a> through ssllabs (thanks google), it gave<br>
me a less than glowing report, including<br>
an incomplete cert chain (i say that like i understand it :) ) or as it put<br>
it:<br>
<br>
This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)<br>
<<a href="https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable" rel="noreferrer" target="_blank">https://community.qualys.com/<wbr>blogs/securitylabs/2014/06/13/<wbr>ssl-pulse-49-vulnerable-to-<wbr>cve-2014-0224-14-exploitable</a>><br>
and exploitable. Grade set to F.<br>
This server is vulnerable to the OpenSSL Padding Oracle vulnerability<br>
(CVE-2016-2107)<br>
<<a href="https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/" rel="noreferrer" target="_blank">https://blog.cloudflare.com/<wbr>yet-another-padding-oracle-in-<wbr>openssl-cbc-ciphersuites/</a>><br>
and insecure. Grade set to F.<br>
This server accepts RC4 cipher, but only with older browsers. Grade capped<br>
to B. MORE INFO »<br>
<<a href="https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what" rel="noreferrer" target="_blank">https://community.qualys.com/<wbr>blogs/securitylabs/2013/03/19/<wbr>rc4-in-tls-is-broken-now-what</a>><br>
This server's certificate chain is incomplete. Grade capped to B.<br>
<br>
Full report here for the curious:<br>
<a href="https://globalsign.ssllabs.com/analyze.html?d=dl.xda-developers.com&hideResults=on" rel="noreferrer" target="_blank">https://globalsign.ssllabs.<wbr>com/analyze.html?d=dl.xda-<wbr>developers.com&hideResults=on</a><br>
<br>
For a few thumbnails im not going to torture myself, maybe ill send the<br>
forum admin a note instead :)<br>
<br>
>PS. EECDH will not work unless you configure a curve name in the<br>
>tls-dh= option. Just having dhparam.pem alone will only enable the less<br>
>secure DH ciphers.<br>
<br>
I did add a curve to the tls-dh param, im guessing tis correct, little info<br>
on which one to use (grabbing the list from my local openssl had me going<br>
what the hell)<br>
<br>
tls-dh=prime256v1:/cygdrive/e/<wbr>Squid/etc/ssl/dhparam.pem<br>
<br>
Note: this made no difference whatsoever with my issue<br>
<br>
Cheers,<br>
<br>
Adrian Miller<br>
<br>
<br>
<br>
On 2 March 2017 at 04:08, Adrian Miller <<a href="mailto:adrian.m.miller@gmail.com">adrian.m.miller@gmail.com</a>> wrote:<br>
<br>
> Thanks Amos for the info, appreciate your tireless assistance for us<br>
> numpties :)<br>
><br>
> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <<br>
> <a href="mailto:ml-node%2Bs1019090n4681642h47@n4.nabble.com">ml-node+s1019090n4681642h47@<wbr>n4.nabble.com</a>> wrote:<br>
><br>
>> On 1/03/2017 4:58 a.m., stylemessiah wrote:<br>
>><br>
>> > This is driving me nuts, its the only issue ive found running ssl bump<br>
>> on my<br>
>> > home network for eons<br>
>> ><br>
>> > I cant see image thumbnails on xda-developers...<br>
>> ><br>
>> > When i access a thread with them, i get text links, not thumbnails, and<br>
>> if i<br>
>> > click on the links i get the following:<br>
>> ><br>
>> ><br>
>> > (71) Protocol error (TLS code:<br>
>> > X509_V_ERR_UNABLE_TO_GET_<wbr>ISSUER_CERT_LOCALLY)<br>
>> ><br>
>> > SSL Certficate error: certificate issuer (CA) not known:<br>
>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
>> ><br>
>> > I figured out by googling how to (i hope) trace the problem certificate<br>
>> via<br>
>> > s_client:<br>
>> ><br>
>> ><br>
>> > OpenSSL> s_client -showcerts -verify 32 -connect<br>
>> <a href="http://dl.xda-developers.com:443" rel="noreferrer" target="_blank">dl.xda-developers.com:443</a><br>
>> > verify depth is 32<br>
>> > CONNECTED(0000012C)<br>
>> > depth=0 CN = *.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
>> > verify error:num=20:unable to get local issuer certificate<br>
>> > verify return:1<br>
>> > depth=0 CN = *.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
>> > verify error:num=21:unable to verify the first certificate<br>
>> > verify return:1<br>
>><br>
>> That command you used does not send data through the proxy. So that<br>
>> confirms that the servers TLS is broken in a way unrelated to Squid.<br>
>><br>
>><br>
>><br>
>> > ---<br>
>> > Certificate chain<br>
>> > 0 s:/CN=*.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
>> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
>> ...<br>
>><br>
>> > ---<br>
>> > Server certificate<br>
>> > subject=/CN=*.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.<wbr>com</a><br>
>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
>> > ---<br>
>> > No client certificate CA names sent<br>
>> > Peer signing digest: SHA512<br>
>> > Server Temp Key: ECDH, P-256, 256 bits<br>
>> > ---<br>
>> > SSL handshake has read 2067 bytes and written 302 bytes<br>
>> > Verification error: unable to verify the first certificate<br>
>><br>
>> ><br>
>> > Ive found the intermediate bundle from RapidSS, and added it to my<br>
>> existing<br>
>> > pem bundle...no change<br>
>><br>
>> You need to locate the root CA and/or intermediate CA certificates used<br>
>> to sign the domain servers certificate.<br>
>><br>
>> You then need to identify *why* they are not being trusted by your OS<br>
>> library.<br>
>><br>
>> Be sure to determine whether the CA which is missing is actually<br>
>> trustworthy before adding it to your trusted set. More than a few of the<br>
>> CA which are around are not trusted because they have been hacked or<br>
>> caught signing forged certificates they should not have.<br>
>><br>
>><br>
>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_<wbr>certs<br>
>> > /cygdrive/e/Squid/etc/ssl/<wbr>extra-intermediate-CA.pem...no change<br>
>> ><br>
>> > My sslbump related config lines are:<br>
>> ><br>
>> > http_port <a href="http://127.0.0.1:3128" rel="noreferrer" target="_blank">127.0.0.1:3128</a> ssl-bump generate-host-certificates=on<br>
>> > dynamic_cert_mem_cache_size=<wbr>10MB cert=/cygdrive/e/Squid/etc/<wbr>ssl/myCA.pem<br>
>><br>
>> > capath=/cygdrive/e/Squid/etc/<wbr>ssl<br>
>> > cafile=/cygdrive/e/Squid/etc/<wbr>ssl/extra-intermediate-CA.pem<br>
>> > tls-dh=/cygdrive/e/Squid/etc/<wbr>ssl/dhparam.pem<br>
>> > options=NO_SSLv2,NO_SSLv3,<wbr>SINGLE_ECDH_USE<br>
>><br>
>> PS. EECDH will not work unless you configure a curve name in the<br>
>> tls-dh= option. Just having dhparam.pem alone will only enable the less<br>
>> secure DH ciphers.<br>
>><br>
>> Amos<br>
>><br>
>> ______________________________<wbr>_________________<br>
>> squid-users mailing list<br>
>> [hidden email] <http:///user/SendEmail.jtp?<wbr>type=node&node=4681642&i=0><br>
>> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
>><br>
>><br>
>> ------------------------------<br>
>> If you reply to this email, your message will be added to the discussion<br>
>> below:<br>
>> <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/SSL-<wbr>Bump-</a><br>
>> and-Certificate-issue-<wbr>RapidSSL-Intermediate-Cert-<wbr>tp4681635p4681642.html<br>
>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL<br>
>> Intermediate Cert, click here<br>
>> <<a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/<wbr>template/NamlServlet.jtp?<wbr>macro=unsubscribe_by_code&<wbr>node=4681635&code=<wbr>YWRyaWFuLm0ubWlsbGVyQGdtYWlsLm<wbr>NvbXw0NjgxNjM1fDE5ODY3MjIyMDI=</a><wbr>><br>
>> .<br>
>> NAML<br>
>> <<a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/<wbr>template/NamlServlet.jtp?<wbr>macro=macro_viewer&id=instant_<wbr>html%21nabble%3Aemail.naml&<wbr>base=nabble.naml.namespaces.<wbr>BasicNamespace-nabble.view.<wbr>web.template.NabbleNamespace-<wbr>nabble.view.web.template.<wbr>NodeNamespace&breadcrumbs=<wbr>notify_subscribers%21nabble%<wbr>3Aemail.naml-instant_emails%<wbr>21nabble%3Aemail.naml-send_<wbr>instant_email%21nabble%<wbr>3Aemail.naml</a>><br>
>><br>
><br>
<br>
<br>
--<br>
I hate to advocate *drugs*, *alcohol*,* violence *or<br>
*insanity* to anyone, *but* they've *always* worked for* me*<br>
<br>
- Hunter S. Thompson<br>
<br>
<br>
<br>
<br>
--<br>
View this message in context: <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681646.html" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/SSL-<wbr>Bump-and-Certificate-issue-<wbr>RapidSSL-Intermediate-Cert-<wbr>tp4681635p4681646.html</a><br>
Sent from the Squid - Users mailing list archive at Nabble.com.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Wed, 1 Mar 2017 18:59:08 -0800 (PST)<br>
From: stylemessiah <<a href="mailto:adrian.m.miller@gmail.com">adrian.m.miller@gmail.com</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] SSL Bump and Certificate issue - RapidSSL<br>
Intermediate Cert<br>
Message-ID:<br>
<CAOLOQx1-wRQ4RZcTjg6CqAT-<wbr>mYyaBu-nCaPNkYFg4tW66E=<a href="mailto:F%2Bw@mail.gmail.com">F+w@<wbr>mail.gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Decided to fiddle with it one last time....<br>
<br>
If i change my cipher entries from<br>
<br>
EECDH+ECDSA+AESGCM:EECDH+aRSA+<wbr>AESGCM:EECDH+ECDSA+SHA384:<wbr>EECDH+ECDSA+SHA256:EECDH+aRSA+<wbr>SHA384:EECDH+aRSA+SHA256:<wbr>EECDH+aRSA+RC4:EECDH:EDH+aRSA:<wbr>HIGH:MEDIUM:!RC4:!aNULL:!<wbr>eNULL:!LOW:!3DES:!MD5:!EXP:!<wbr>PSK:!SRP:!DSS<br>
<br>
to<br>
<br>
ECDHE-RSA-AES256-GCM-SHA384:<wbr>ECDHE-RSA-AES128-GCM-SHA256:<wbr>DHE-RSA-AES256-GCM-SHA384:DHE-<wbr>RSA-AES128-GCM-SHA256:ECDHE-<wbr>RSA-AES256-SHA384:ECDHE-RSA-<wbr>AES128-SHA256:ECDHE-RSA-<wbr>AES256-SHA:ECDHE-RSA-AES128-<wbr>SHA:DHE-RSA-AES256-SHA256:DHE-<wbr>RSA-AES128-SHA256:DHE-RSA-<wbr>AES256-SHA:DHE-RSA-AES128-SHA:<wbr>ECDHE-RSA-DES-CBC3-SHA:EDH-<wbr>RSA-DES-CBC3-SHA:AES256-GCM-<wbr>SHA384:AES128-GCM-SHA256:<wbr>AES256-SHA256:AES128-SHA256:<wbr>AES256-SHA:AES128-SHA:DES-<wbr>CBC3-SHA:HIGH:!aNULL:!eNULL:!<wbr>EXPORT:!DES:!MD5:!PSK:!RC4<br>
<br>
I get content from <a href="http://dl.xda-developers.com" rel="noreferrer" target="_blank">dl.xda-developers.com</a> just fine<br>
<br>
But i wont pretend i understand the cipher chain, or whether the change is<br>
a good thing<br>
<br>
<br>
On 2 March 2017 at 13:01, Adrian Miller <<a href="mailto:adrian.m.miller@gmail.com">adrian.m.miller@gmail.com</a>> wrote:<br>
<br>
> >That command you used does not send data through the proxy. So that<br>
> >confirms that the servers TLS is broken in a way unrelated to Squid.<br>
><br>
> As that may be, when i go direct (sans proxy) i get thumbnails...no issues<br>
> Toggle the proxy back on and no thumbnails, and opening an image link<br>
> gives the<br>
> error initially reported.<br>
><br>
> (71) Protocol error (TLS code:<br>
> X509_V_ERR_UNABLE_TO_GET_<wbr>ISSUER_CERT_LOCALLY)<br>
><br>
> SSL Certficate error: certificate issuer (CA) not known:<br>
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
><br>
> So both Ie and FF will just load anything from <a href="http://dl.xda-developers.com" rel="noreferrer" target="_blank">dl.xda-developers.com</a> and<br>
> not<br>
> register an issue, but squid will refuse to load the content and generate<br>
> the error<br>
><br>
> >You need to locate the root CA and/or intermediate CA certificates used<br>
> >to sign the domain servers certificate.<br>
><br>
> >You then need to identify *why* they are not being trusted by your OS<br>
> >library.<br>
><br>
> >Be sure to determine whether the CA which is missing is actually<br>
> >trustworthy before adding it to your trusted set. More than a few of the<br>
> >CA which are around are not trusted because they have been hacked or<br>
> >caught signing forged certificates they should not have.<br>
><br>
> I aalways learn something when youre silly enough to reply :)<br>
><br>
> When i ran <a href="http://dl.xda-developers.com" rel="noreferrer" target="_blank">dl.xda-developers.com</a> through ssllabs (thanks google), it gave<br>
> me a less than glowing report, including<br>
> an incomplete cert chain (i say that like i understand it :) ) or as it<br>
> put it:<br>
><br>
> This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)<br>
> <<a href="https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable" rel="noreferrer" target="_blank">https://community.qualys.com/<wbr>blogs/securitylabs/2014/06/13/<wbr>ssl-pulse-49-vulnerable-to-<wbr>cve-2014-0224-14-exploitable</a>><br>
> and exploitable. Grade set to F.<br>
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability<br>
> (CVE-2016-2107)<br>
> <<a href="https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/" rel="noreferrer" target="_blank">https://blog.cloudflare.com/<wbr>yet-another-padding-oracle-in-<wbr>openssl-cbc-ciphersuites/</a>><br>
> and insecure. Grade set to F.<br>
> This server accepts RC4 cipher, but only with older browsers. Grade capped<br>
> to B. MORE INFO »<br>
> <<a href="https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what" rel="noreferrer" target="_blank">https://community.qualys.com/<wbr>blogs/securitylabs/2013/03/19/<wbr>rc4-in-tls-is-broken-now-what</a>><br>
> This server's certificate chain is incomplete. Grade capped to B.<br>
><br>
> Full report here for the curious: <a href="https://globalsign.ssllabs" rel="noreferrer" target="_blank">https://globalsign.ssllabs</a>.<br>
> com/analyze.html?d=<a href="http://dl.xda-developers.com" rel="noreferrer" target="_blank">dl.xda-<wbr>developers.com</a>&hideResults=on<br>
><br>
> For a few thumbnails im not going to torture myself, maybe ill send the<br>
> forum admin a note instead :)<br>
><br>
> >PS. EECDH will not work unless you configure a curve name in the<br>
> >tls-dh= option. Just having dhparam.pem alone will only enable the less<br>
> >secure DH ciphers.<br>
><br>
> I did add a curve to the tls-dh param, im guessing tis correct, little<br>
> info on which one to use (grabbing the list from my local openssl had me<br>
> going what the hell)<br>
><br>
> tls-dh=prime256v1:/cygdrive/e/<wbr>Squid/etc/ssl/dhparam.pem<br>
><br>
> Note: this made no difference whatsoever with my issue<br>
><br>
> Cheers,<br>
><br>
> Adrian Miller<br>
><br>
><br>
><br>
> On 2 March 2017 at 04:08, Adrian Miller <<a href="mailto:adrian.m.miller@gmail.com">adrian.m.miller@gmail.com</a>> wrote:<br>
><br>
>> Thanks Amos for the info, appreciate your tireless assistance for us<br>
>> numpties :)<br>
>><br>
>> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <<br>
>> <a href="mailto:ml-node%2Bs1019090n4681642h47@n4.nabble.com">ml-node+s1019090n4681642h47@<wbr>n4.nabble.com</a>> wrote:<br>
>><br>
>>> On 1/03/2017 4:58 a.m., stylemessiah wrote:<br>
>>><br>
>>> > This is driving me nuts, its the only issue ive found running ssl bump<br>
>>> on my<br>
>>> > home network for eons<br>
>>> ><br>
>>> > I cant see image thumbnails on xda-developers...<br>
>>> ><br>
>>> > When i access a thread with them, i get text links, not thumbnails,<br>
>>> and if i<br>
>>> > click on the links i get the following:<br>
>>> ><br>
>>> ><br>
>>> > (71) Protocol error (TLS code:<br>
>>> > X509_V_ERR_UNABLE_TO_GET_<wbr>ISSUER_CERT_LOCALLY)<br>
>>> ><br>
>>> > SSL Certficate error: certificate issuer (CA) not known:<br>
>>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
>>> ><br>
>>> > I figured out by googling how to (i hope) trace the problem<br>
>>> certificate via<br>
>>> > s_client:<br>
>>> ><br>
>>> ><br>
>>> > OpenSSL> s_client -showcerts -verify 32 -connect<br>
>>> <a href="http://dl.xda-developers.com:443" rel="noreferrer" target="_blank">dl.xda-developers.com:443</a><br>
>>> > verify depth is 32<br>
>>> > CONNECTED(0000012C)<br>
>>> > depth=0 CN = *.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
>>> > verify error:num=20:unable to get local issuer certificate<br>
>>> > verify return:1<br>
>>> > depth=0 CN = *.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
>>> > verify error:num=21:unable to verify the first certificate<br>
>>> > verify return:1<br>
>>><br>
>>> That command you used does not send data through the proxy. So that<br>
>>> confirms that the servers TLS is broken in a way unrelated to Squid.<br>
>>><br>
>>><br>
>>><br>
>>> > ---<br>
>>> > Certificate chain<br>
>>> > 0 s:/CN=*.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.com</a><br>
>>> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
>>> ...<br>
>>><br>
>>> > ---<br>
>>> > Server certificate<br>
>>> > subject=/CN=*.<a href="http://xda-developers.com" rel="noreferrer" target="_blank">xda-developers.<wbr>com</a><br>
>>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA<br>
>>> > ---<br>
>>> > No client certificate CA names sent<br>
>>> > Peer signing digest: SHA512<br>
>>> > Server Temp Key: ECDH, P-256, 256 bits<br>
>>> > ---<br>
>>> > SSL handshake has read 2067 bytes and written 302 bytes<br>
>>> > Verification error: unable to verify the first certificate<br>
>>><br>
>>> ><br>
>>> > Ive found the intermediate bundle from RapidSS, and added it to my<br>
>>> existing<br>
>>> > pem bundle...no change<br>
>>><br>
>>> You need to locate the root CA and/or intermediate CA certificates used<br>
>>> to sign the domain servers certificate.<br>
>>><br>
>>> You then need to identify *why* they are not being trusted by your OS<br>
>>> library.<br>
>>><br>
>>> Be sure to determine whether the CA which is missing is actually<br>
>>> trustworthy before adding it to your trusted set. More than a few of the<br>
>>> CA which are around are not trusted because they have been hacked or<br>
>>> caught signing forged certificates they should not have.<br>
>>><br>
>>><br>
>>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_<wbr>certs<br>
>>> > /cygdrive/e/Squid/etc/ssl/<wbr>extra-intermediate-CA.pem...no change<br>
>>> ><br>
>>> > My sslbump related config lines are:<br>
>>> ><br>
>>> > http_port <a href="http://127.0.0.1:3128" rel="noreferrer" target="_blank">127.0.0.1:3128</a> ssl-bump generate-host-certificates=on<br>
>>> > dynamic_cert_mem_cache_size=<wbr>10MB cert=/cygdrive/e/Squid/etc/<wbr>ssl/myCA.pem<br>
>>><br>
>>> > capath=/cygdrive/e/Squid/etc/<wbr>ssl<br>
>>> > cafile=/cygdrive/e/Squid/etc/<wbr>ssl/extra-intermediate-CA.pem<br>
>>> > tls-dh=/cygdrive/e/Squid/etc/<wbr>ssl/dhparam.pem<br>
>>> > options=NO_SSLv2,NO_SSLv3,<wbr>SINGLE_ECDH_USE<br>
>>><br>
>>> PS. EECDH will not work unless you configure a curve name in the<br>
>>> tls-dh= option. Just having dhparam.pem alone will only enable the less<br>
>>> secure DH ciphers.<br>
>>><br>
>>> Amos<br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> squid-users mailing list<br>
>>> [hidden email] <http:///user/SendEmail.jtp?<wbr>type=node&node=4681642&i=0><br>
>>> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
>>><br>
>>><br>
>>> ------------------------------<br>
>>> If you reply to this email, your message will be added to the discussion<br>
>>> below:<br>
>>> <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/SSL-<wbr>Bump-</a><br>
>>> and-Certificate-issue-<wbr>RapidSSL-Intermediate-Cert-<wbr>tp4681635p4681642.html<br>
>>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL<br>
>>> Intermediate Cert, click here<br>
>>> <<a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/<wbr>template/NamlServlet.jtp?<wbr>macro=unsubscribe_by_code&<wbr>node=4681635&code=<wbr>YWRyaWFuLm0ubWlsbGVyQGdtYWlsLm<wbr>NvbXw0NjgxNjM1fDE5ODY3MjIyMDI=</a><wbr>><br>
>>> .<br>
>>> NAML<br>
>>> <<a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/<wbr>template/NamlServlet.jtp?<wbr>macro=macro_viewer&id=instant_<wbr>html%21nabble%3Aemail.naml&<wbr>base=nabble.naml.namespaces.<wbr>BasicNamespace-nabble.view.<wbr>web.template.NabbleNamespace-<wbr>nabble.view.web.template.<wbr>NodeNamespace&breadcrumbs=<wbr>notify_subscribers%21nabble%<wbr>3Aemail.naml-instant_emails%<wbr>21nabble%3Aemail.naml-send_<wbr>instant_email%21nabble%<wbr>3Aemail.naml</a>><br>
>>><br>
>><br>
><br>
><br>
> --<br>
> I hate to advocate *drugs*, *alcohol*,* violence *or<br>
> *insanity* to anyone, *but* they've *always* worked for* me*<br>
><br>
> - Hunter S. Thompson<br>
><br>
<br>
<br>
<br>
--<br>
I hate to advocate *drugs*, *alcohol*,* violence *or<br>
*insanity* to anyone, *but* they've *always* worked for* me*<br>
<br>
- Hunter S. Thompson<br>
<br>
<br>
<br>
<br>
--<br>
View this message in context: <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681647.html" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/SSL-<wbr>Bump-and-Certificate-issue-<wbr>RapidSSL-Intermediate-Cert-<wbr>tp4681635p4681647.html</a><br>
Sent from the Squid - Users mailing list archive at Nabble.com.<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 31, Issue 3<br>
******************************<wbr>************<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">I hate to advocate <span style="color:rgb(255,153,0)"><b>drugs</b></span>, <span style="color:rgb(255,153,0)"><b>alcohol</b></span>,<b> <span style="color:rgb(255,153,0)">violence</span> </b><span style="background-color:rgb(255,255,255)"><span style="color:rgb(255,153,0)"></span></span>or <br><span style="color:rgb(255,153,0)"><b>insanity</b></span> to anyone,<span style="color:rgb(255,153,0)"> <b>but</b></span> they've <b><span style="color:rgb(255,153,0)">always</span></b> worked for<b> <span style="color:rgb(255,153,0)">me</span></b><span style="background-color:rgb(255,153,0)"></span><br><br>- Hunter S. Thompson<br></div></div>
</div>