<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>After reading more information on this kind of error I captured a
few transactions with Wireshark running on the raspberry pi
hosting squid 4.6 and opensll 1.1.1d. I captured some transactions
when trying to access ebay.fr which is currently not successful
with the setup I have with the error of inappropriate fallback
mentioned below.</p>
<p>I am not familiar with TLS transactions so I will try to present
a high level view of the transactions between the raspberry pi and
the ebay.fr server. I hope you can guide me as to what I should
focus on to understand, if possible, the issue I have.</p>
<p>A bird's eye view of the transactions from Wireshark over time is
:</p>
<p> 23 0.175795327 192.168.1.32
192.168.1.1 DNS 71 Standard query 0x057e A
<a class="moz-txt-link-abbreviated" href="http://www.ebay.fr">www.ebay.fr</a><br>
24 0.214678299 192.168.1.1 192.168.1.32
DNS 165 Standard query response 0x057e A <a class="moz-txt-link-abbreviated" href="http://www.ebay.fr">www.ebay.fr</a> CNAME
slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A
23.57.6.166<br>
25 0.301067317 192.168.1.32 23.57.6.166
TCP 74 53934 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
SACK_PERM=1 TSval=365186690 TSecr=0 WS=128<br>
26 0.302488046 192.168.1.32 23.57.6.166
TCP 74 53936 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
SACK_PERM=1 TSval=365186691 TSecr=0 WS=128<br>
27 0.328959454 23.57.6.166 192.168.1.32
TCP 74 443 → 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0
MSS=1460 SACK_PERM=1 TSval=3470404062 TSecr=365186690 WS=128<br>
28 0.329115340 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0
TSval=365186718 TSecr=3470404062<br>
29 0.329752684 192.168.1.32 23.57.6.166
TLSv1.2 583 Client Hello<br>
30 0.330530288 23.57.6.166 192.168.1.32
TCP 74 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0
MSS=1460 SACK_PERM=1 TSval=3470404064 TSecr=365186691 WS=128<br>
31 0.330644819 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0
TSval=365186719 TSecr=3470404064<br>
32 0.331192579 192.168.1.32 23.57.6.166
TLSv1.2 583 Client Hello<br>
35 0.351054404 192.168.1.32 192.168.1.98
TCP 54 5900 → 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0<br>
36 0.363323884 23.57.6.166 192.168.1.32
TCP 66 443 → 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0
TSval=3470404096 TSecr=365186719<br>
37 0.364291801 23.57.6.166 192.168.1.32
TLSv1.2 1514 Server Hello<br>
38 0.364347270 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186753 TSecr=3470404096<br>
39 0.365482999 23.57.6.166 192.168.1.32
TCP 1514 443 → 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768
Len=1448 TSval=3470404096 TSecr=365186719 [TCP segment of a
reassembled PDU]<br>
40 0.365535030 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186754 TSecr=3470404096<br>
41 0.366217999 23.57.6.166 192.168.1.32
TCP 1266 443 → 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768
Len=1200 TSval=3470404096 TSecr=365186719 [TCP segment of a
reassembled PDU]<br>
42 0.366279041 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186755 TSecr=3470404096<br>
43 0.366321697 23.57.6.166 192.168.1.32
TCP 74 [TCP Retransmission] 443 → 53936 [SYN, ACK] Seq=0
Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404096
TSecr=365186691 WS=128<br>
44 0.366410135 192.168.1.32 23.57.6.166
TCP 66 [TCP Dup ACK 31#1] 53936 → 443 [ACK] Seq=518 Ack=1
Win=64256 Len=0 TSval=365186755 TSecr=3470404064<br>
45 0.366709770 23.57.6.166 192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done<br>
46 0.366754978 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186756 TSecr=3470404097<br>
47 0.369138676 23.57.6.166 192.168.1.32
TCP 66 443 → 53936 [ACK] Seq=1 Ack=518 Win=64768 Len=0
TSval=3470404102 TSecr=365186720<br>
48 0.370432739 23.57.6.166 192.168.1.32
TLSv1.2 1514 Server Hello<br>
49 0.370506906 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186759 TSecr=3470404102<br>
50 0.371401125 23.57.6.166 192.168.1.32
TCP 1514 443 → 53936 [PSH, ACK] Seq=1449 Ack=518 Win=64768
Len=1448 TSval=3470404102 TSecr=365186720 [TCP segment of a
reassembled PDU]<br>
51 0.371449250 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186760 TSecr=3470404102<br>
52 0.372385968 23.57.6.166 192.168.1.32
TCP 1266 443 → 53936 [PSH, ACK] Seq=2897 Ack=518 Win=64768
Len=1200 TSval=3470404102 TSecr=365186720 [TCP segment of a
reassembled PDU]<br>
53 0.372438156 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186761 TSecr=3470404102<br>
54 0.372859562 23.57.6.166 192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done<br>
55 0.372905395 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186762 TSecr=3470404103<br>
56 0.374064614 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128
Len=0 TSval=365186763 TSecr=3470404097<br>
57 0.382856646 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128
Len=0 TSval=365186772 TSecr=3470404103<br>
58 0.387044251 192.168.1.32 23.57.6.166
TCP 74 53938 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
SACK_PERM=1 TSval=365186776 TSecr=0 WS=128<br>
59 0.401877325 192.168.1.32 23.57.6.166
TCP 74 53940 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
SACK_PERM=1 TSval=365186791 TSecr=0 WS=128<br>
60 0.402472117 23.57.6.166 192.168.1.32
TCP 66 443 → 53934 [FIN, ACK] Seq=5022 Ack=519 Win=64768
Len=0 TSval=3470404136 TSecr=365186763<br>
61 0.402574981 192.168.1.32 23.57.6.166
TCP 66 53934 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0
TSval=365186791 TSecr=3470404136<br>
62 0.410122326 23.57.6.166 192.168.1.32
TCP 66 443 → 53936 [FIN, ACK] Seq=5022 Ack=519 Win=64768
Len=0 TSval=3470404143 TSecr=365186772<br>
63 0.410185971 192.168.1.32 23.57.6.166
TCP 66 53936 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0
TSval=365186799 TSecr=3470404143<br>
64 0.415533941 23.57.6.166 192.168.1.32
TCP 74 443 → 53938 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0
MSS=1460 SACK_PERM=1 TSval=3470404148 TSecr=365186776 WS=128<br>
65 0.415615607 192.168.1.32 23.57.6.166
TCP 66 53938 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0
TSval=365186804 TSecr=3470404148<br>
66 0.416199514 192.168.1.32 23.57.6.166
TLSv1.2 583 Client Hello<br>
67 0.429629098 23.57.6.166 192.168.1.32
TCP 74 443 → 53940 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0
MSS=1460 SACK_PERM=1 TSval=3470404163 TSecr=365186791 WS=128<br>
68 0.429722796 192.168.1.32 23.57.6.166
TCP 66 53940 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0
TSval=365186819 TSecr=3470404163<br>
69 0.430195036 192.168.1.32 23.57.6.166
TLSv1.2 583 Client Hello<br>
70 0.449937225 23.57.6.166 192.168.1.32
TCP 66 443 → 53938 [ACK] Seq=1 Ack=518 Win=64768 Len=0
TSval=3470404182 TSecr=365186805<br>
71 0.451000037 23.57.6.166 192.168.1.32
TLSv1.2 1514 Server Hello<br>
72 0.451064100 192.168.1.32 23.57.6.166
TCP 66 53938 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186840 TSecr=3470404183<br>
73 0.451980194 23.57.6.166 192.168.1.32
TCP 1514 443 → 53938 [PSH, ACK] Seq=1449 Ack=518 Win=64768
Len=1448 TSval=3470404183 TSecr=365186805 [TCP segment of a
reassembled PDU]<br>
74 0.452031756 192.168.1.32 23.57.6.166
TCP 66 53938 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186841 TSecr=3470404183<br>
75 0.452935767 23.57.6.166 192.168.1.32
TCP 1266 443 → 53938 [PSH, ACK] Seq=2897 Ack=518 Win=64768
Len=1200 TSval=3470404183 TSecr=365186805 [TCP segment of a
reassembled PDU]<br>
76 0.452991027 192.168.1.32 23.57.6.166
TCP 66 53938 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186842 TSecr=3470404183<br>
77 0.453443475 23.57.6.166 192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done<br>
78 0.453498215 192.168.1.32 23.57.6.166
TCP 66 53938 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186842 TSecr=3470404184<br>
79 0.461625715 192.168.1.32 23.57.6.166
TCP 66 53938 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128
Len=0 TSval=365186850 TSecr=3470404184<br>
80 0.463463320 23.57.6.166 192.168.1.32
TCP 66 443 → 53940 [ACK] Seq=1 Ack=518 Win=64768 Len=0
TSval=3470404196 TSecr=365186819<br>
81 0.464344413 23.57.6.166 192.168.1.32
TLSv1.2 1514 Server Hello<br>
82 0.464433476 192.168.1.32 23.57.6.166
TCP 66 53940 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0
TSval=365186853 TSecr=3470404197<br>
83 0.465538632 23.57.6.166 192.168.1.32
TCP 1514 443 → 53940 [PSH, ACK] Seq=1449 Ack=518 Win=64768
Len=1448 TSval=3470404197 TSecr=365186819 [TCP segment of a
reassembled PDU]<br>
84 0.465628789 192.168.1.32 23.57.6.166
TCP 66 53940 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0
TSval=365186854 TSecr=3470404197<br>
85 0.466298945 23.57.6.166 192.168.1.32
TCP 1266 443 → 53940 [PSH, ACK] Seq=2897 Ack=518 Win=64768
Len=1200 TSval=3470404197 TSecr=365186819 [TCP segment of a
reassembled PDU]<br>
86 0.466437851 192.168.1.32 23.57.6.166
TCP 66 53940 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0
TSval=365186855 TSecr=3470404197<br>
87 0.467042591 23.57.6.166 192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done<br>
88 0.467190976 192.168.1.32 23.57.6.166
TCP 66 53940 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0
TSval=365186856 TSecr=3470404197<br>
</p>
<p>I start my description with a Client Hello step from the
raspberry pi to the ebay.fr server :</p>
<blockquote>
<p>No. Time Source
Destination Protocol Length Info<br>
29 0.329752684 192.168.1.32
23.57.6.166 TLSv1.2 583 Client Hello<br>
</p>
<p>...</p>
<p>Transport Layer Security<br>
TLSv1.2 Record Layer: Handshake Protocol: Client Hello<br>
Content Type: Handshake (22)<br>
Version: TLS 1.0 (0x0301)<br>
Length: 512<br>
Handshake Protocol: Client Hello<br>
Handshake Type: Client Hello (1)<br>
Length: 508<br>
Version: TLS 1.2 (0x0303)</p>
</blockquote>
<p>Then, there is another Client Hello step which seems quite
similar to the previous one :</p>
<blockquote>
<p>No. Time Source
Destination Protocol Length Info<br>
32 0.331192579 192.168.1.32
23.57.6.166 TLSv1.2 583 Client Hello</p>
<p>...</p>
<p>Transport Layer Security<br>
TLSv1.2 Record Layer: Handshake Protocol: Client Hello<br>
Content Type: Handshake (22)<br>
Version: TLS 1.0 (0x0301)<br>
Length: 512<br>
Handshake Protocol: Client Hello<br>
Handshake Type: Client Hello (1)<br>
Length: 508<br>
Version: TLS 1.2 (0x0303)</p>
</blockquote>
<p>Then a Server Hello :</p>
<blockquote>
<p>No. Time Source
Destination Protocol Length Info<br>
37 0.364291801 23.57.6.166
192.168.1.32 TLSv1.2 1514 Server Hello</p>
<p>...<br>
</p>
<p>Transport Layer Security<br>
TLSv1.2 Record Layer: Handshake Protocol: Server Hello<br>
Content Type: Handshake (22)<br>
Version: TLS 1.2 (0x0303)<br>
Length: 78<br>
Handshake Protocol: Server Hello<br>
Handshake Type: Server Hello (2)<br>
Length: 74<br>
Version: TLS 1.2 (0x0303)</p>
<p> Random:
08f25b54bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e<br>
GMT Unix Time: Oct 4, 1974 08:40:20.000000000
Paris, Madrid (heure d’été)<br>
Random Bytes:
bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e<br>
Session ID Length: 0<br>
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(0xc02f)</p>
<p>...</p>
</blockquote>
<p>So it seems the server found a common cipher with the client. I
am not sure then what to look for. Frames 43 and 44 are detected
by Wireshark as retransmissions but I am not sure it is a problem.</p>
<p>I noticed frame 45 which is about the Certificate, Certificate
Status, Server Key Exchange and Server Hello Done <br>
</p>
<blockquote>
<p>No. Time Source
Destination Protocol Length Info<br>
45 0.366709770 23.57.6.166
192.168.1.32 TLSv1.2 991 Certificate, Certificate
Status, Server Key Exchange, Server Hello Done<br>
</p>
<p>Transport Layer Security<br>
TLSv1.2 Record Layer: Handshake Protocol: Certificate<br>
Content Type: Handshake (22)<br>
Version: TLS 1.2 (0x0303)<br>
Length: 4102<br>
Handshake Protocol: Certificate<br>
Handshake Type: Certificate (11)<br>
...<br>
Transport Layer Security<br>
TLSv1.2 Record Layer: Handshake Protocol: Certificate Status<br>
Content Type: Handshake (22)<br>
Version: TLS 1.2 (0x0303)<br>
Length: 479<br>
Handshake Protocol: Certificate Status<br>
Handshake Type: Certificate Status (22)<br>
Length: 475<br>
Certificate Status Type: OCSP (1)<br>
OCSP Response Length: 471<br>
OCSP Response<br>
...<br>
TLSv1.2 Record Layer: Handshake Protocol: Server Key
Exchange<br>
Content Type: Handshake (22)<br>
Version: TLS 1.2 (0x0303)<br>
Length: 333<br>
Handshake Protocol: Server Key Exchange<br>
Handshake Type: Server Key Exchange (12)<br>
Length: 329<br>
EC Diffie-Hellman Server Params<br>
...<br>
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done<br>
Content Type: Handshake (22)<br>
Version: TLS 1.2 (0x0303)<br>
Length: 4<br>
Handshake Protocol: Server Hello Done<br>
Handshake Type: Server Hello Done (14)<br>
Length: 0</p>
<p>...</p>
</blockquote>
<p>I noticed there is a mention of Diffie-Hellman which may require
some attention but I am not sure.</p>
<p>I am sorry for all this information but I really look forward to
knowing more and managing to sort this issue out. Is there
anything in this information that is relevant to understanding the
issue I have ? Where should I focus ?<br>
</p>
<p>Best regards,</p>
<p>JF<br>
</p>
<div class="moz-cite-prefix">Le 02/01/2021 à 11:26, jean francois
hasson a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:da84475b-c08e-d377-78ae-c80d116bbc19@club-internet.fr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hi,</p>
<p>Thank you Amos Jeffries and Antony Stone. It seems the
configuration I have provides the functionality of filtering I
am looking for.</p>
<p>There is a strange behavior I can see when accessing some
legitimate sites which I see traces of in cache.log :</p>
<blockquote>
<p>2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20
'squidGuard' processes<br>
2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
inappropriate fallback (1/-1/0)<br>
2021/01/02 10:57:31 kid1| Error negotiating SSL connection on
FD 38: error:00000001:lib(0):func(0):reason(1) (1/-1)<br>
2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
inappropriate fallback (1/-1/0)<br>
2021/01/02 10:57:32 kid1| Error negotiating SSL connection on
FD 35: error:00000001:lib(0):func(0):reason(1) (1/-1)<br>
2021/01/02 10:57:40 kid1| Starting new redirector helpers...<br>
2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20
'squidGuard' processes<br>
2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
inappropriate fallback (1/-1/0)<br>
2021/01/02 10:58:09 kid1| Error negotiating SSL connection on
FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)<br>
2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
inappropriate fallback (1/-1/0)<br>
2021/01/02 10:58:10 kid1| Error negotiating SSL connection on
FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)<br>
</p>
</blockquote>
<p>I noticed other users of squid encountered similar issues but I
did not find a clear answer to the issue. Is there a problem
with my setup ? I am not sure to be able to solve it on my own !
Any help would be appreciated.</p>
<p>Best regards,</p>
<p>JF Hasson<br>
</p>
<div class="moz-cite-prefix">Le 31/12/2020 à 10:14, Antony Stone a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:202012311014.45914.Antony.Stone@squid.open.source.it">
<pre class="moz-quote-pre" wrap="">On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">If I set up on a device connected to the access point a proxy manually
ie 10.3.141.1 on port 8080, I can access the internet. If I put the
following rules for iptables to use in files rules.v4 :
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Try removing the DNAT rules above. You should be using REDIRECT for intercept
mode to work correctly.
Antony.
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
</body>
</html>