[squid-users] Possible SSL Bug in v3.5.13?

David Marcos davem.business at gmail.com
Wed Jan 13 02:42:18 UTC 2016 

I recently upgraded to Squid v3.5.13 and am encountering at least two
errors when processing certain HTTPS connections.  I am not sure if it is a
bug or a configuration error on my part.

The first error I am seeing is when shutterfly.com is accessed by a user.
The issue occurs regardless of whether I splice or bump the site.  A user
can browse to the page, but if they click on anything on the site, squid
encounters a fault.  The system does not crash; it recovers, but the proxy
is down for about 30 seconds.  Note that this occurs in regular forward
proxy mode, not intercept mode.

My knowledge of SSL is somewhat limited, so I am not sure if I have
misconfigured things in a way that creates the problem.  Two questions I
have are (a) to apply ECDH properly, must an optional cipher be chosen for
the tls-dh option? and (b) to properly apply ECDH, do I have to recreate
the dhparam file using an ECDH cipher (I'm currently using the dhparam file
that I previously had)?

Separate from the above (or perhaps related), the second issue I am also
seeing are odd errors in the cache.log that are causing squid to fault and
recover.  I am not yet sure which sites are causing the issue, but I am
seeing the following error: FATAL: dying from an unhandled exception:
!theConsumer.  This error seems to be consistently preceded by "Error
negotiating SSL on FD 25: error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)".

The prior version I was running was v3.5.12 and I know that version had no
problems when accessing shutterfly.com nor the odd FATAL message I am
seeing with the below configuration.

Following is more detailed info for the first problem I am encountering
above with shutterfly.com.  Please let me know additional information is
needed.

Cache.log extracts when accessing shutterfly.com:
--------------------------------------------------------------------

2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 91:
error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
(1/-1/0)

2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 98:
error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
(1/-1/0)

2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 89:
error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
(1/-1/0)

2016/01/12 22:40:02 kid1| Error negotiating SSL on FD 62:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)

2016/01/12 22:40:02 kid1| Error negotiating SSL on FD 63:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)

2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 56:
error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
(1/-1/0)

2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 56:
error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
(1/-1/0)
2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 58:
error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
(1/-1/0)


Extracts from my squid.conf file:
----------------------------------------------

http_port 127.0.0.1:3128

http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=cert.pem tls-dh=cert.dhparam.pem

http_port 192.168.10.1:3129 intercept  disable-pmtu-discovery=transparent
name=http_icept

https_port 192.168.10.1:3130 intercept  disable-pmtu-discovery=transparent
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=cert.pem tls-dh=cert.dhparam.pem name=https_icept

sslcrtd_program /usr/lib/squid/ssl_crtd -s /disk/dyn-certs/sslcrtd_db -M 4MB

...

ssl_bump peek SSL_Step1 !dont_peek_or_stare mynet

ssl_bump splice dont_bump_me mynet

ssl_bump bump mynet

ssl_bump terminate all


# Various SSL Proxy Config Stuff

sslproxy_cert_error allow broken_certs

sslproxy_cert_error deny all

sslproxy_cert_sign_hash sha256

sslproxy_capath /etc/ssl/certs/

sslproxy_foreign_intermediate_certs /etc/ssl/certs/

sslproxy_options
No_Compression,NO_TLSv1,NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

------------------------

Thanks,

    Dave
___________________________________________________________
Dave Marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160112/13e716b7/attachment.html>

More information about the squid-users mailing list