[squid-users] Skype Issues

Yuri yvoinov at gmail.com
Mon Jun 27 14:43:55 UTC 2016


Looks like your SSL library does not contain SSLv3 protocol support 
already, but site announce it.


27.06.2016 20:42, Renato Jop пишет:
> I removed the NO_SSLv2, NO_SSLv3 however, right before the 
> SSL3_GET_RECORD:wrong version number the SSL 
> routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
>
> Renato Jop
>
> On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoinov at gmail.com 
> <mailto:yvoinov at gmail.com>> wrote:
>
>     Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not
>     supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be
>     confuse software. I.e., you use custom ciphers/protocols
>     combinations, which can lead issue.
>
>
>     27.06.2016 20:25, Renato Jop пишет:
>>     Thank you both for your valuable help.
>>     I've configured the tls-dh param with a strong Diffie-Hellman
>>     group (2048 bits) and configured the cipher as Yuri specified and
>>     I was able to get pass the unknown cipher, however now I get a
>>     "SSL routines:SSL3_GET_RECORD:wrong version number". Here's the
>>     configuration I changed:
>>      cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>     dhparams=/etc/dh-parameters.2048
>>     options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>     tls-dh=/usr/local/etc/squid/dhparams.pem
>>
>>
>>
>>     Renato Jop
>>
>>     On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov <yvoinov at gmail.com
>>     <mailto:yvoinov at gmail.com>> wrote:
>>
>>
>>         -----BEGIN PGP SIGNED MESSAGE-----
>>         Hash: SHA256
>>
>>
>>
>>         25.06.2016 <tel:25.06.2016> 23:09, Amos Jeffries пишет:
>>         > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
>>         >>
>>         >> Amos, you are a wrong.
>>         >>
>>         >> No Squid-4. It's unstable and not ready for production.
>>         Whenever it's
>>         >> features.
>>         >
>>         > So some beta software has bugs therefore nobody should ever
>>         use it for
>>         > anything. I find that to be a strange and sad view of the
>>         world.
>>         >
>>         > Care to guess why I listed it as the last option amongst
>>         several?
>>         >  Or why 4.0.11 exists as a beta still?
>>         > It *is* an option for the mentioned problem(s) though
>>         whatever its
>>         utility.
>>         Agreed.
>>         >
>>         >
>>         >
>>         >>
>>         >> Some time ago I have the same issue and know what happens
>>         exactly.
>>         >>
>>         >> Skype initial connection site uses RC4 cipher. Which is
>>         disabled in most
>>         >> squid's configuration.
>>         >
>>         > Your "know what happens exactly" differs from at least two
>>         other peoples
>>         > debugging experiences with Skype.
>>         >
>>         > RC4 is on the hitlist for most of the big vendors for the
>>         past year or
>>         > so. IIRC there were several Windows Updates to remove it
>>         and other
>>         > broken bits from a lot of things over the past year.
>>         > If Skype is still using RC4 it might be part of this problem.
>>         I'm sure this is problem and this problem exists. MS do
>>         nothing to make
>>         they sites/services more secure. BTW, MS Updates uses RC4
>>         ciphers itself
>>         this time. With strong siphers there is no way to setup WU
>>         via Squid.
>>         I've spent much time to identify this problem in my setup and
>>         find
>>         working workaround.
>>
>>         Another part of problem is: MS often uses it's own
>>         self-signed roots,
>>         which is exists in Windows, but nowhere else. And which has not
>>         cross-signed by well-known root CA's. They think it make MS
>>         services
>>         more secure. They wrong. But we can't do anything with it.
>>         So, this is
>>         forced us to add self-signed MS roots to our Squid's CA
>>         bundles to
>>         bump/splice.
>>         >
>>         >
>>         >>
>>         >> To make it works (as by as most M$ update sites) it's
>>         require simple use
>>         >> this cipher's suite:
>>         >>
>>         >>
>>         HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>         >>
>>         >> That works for me in 5 SSL bumped setups. There is no
>>         matter which squid
>>         >> version installed.
>>         >
>>         > Thank you. Thats another option then. I'd rate that below
>>         trying the EC
>>         > ciphers, and above library updates.
>>         You are welcome.
>>
>>         Just for information: MS has own IT infrastructure, with some
>>         strange
>>         configured and non well-managed elements. I can't guarantee this
>>         workaround will work everywhere or for every MS service.
>>
>>         When I made my research, I've seen some strange security TLS
>>         combinations on MS sites/services. I.e., for example,
>>         RC4+ECDSA+TLSv1.2.
>>         Or, for example, RC4+MD5+TLSv1. And some similar. Very
>>         idiotic and
>>         potentially dangerous combinations. And - they support
>>         ignores all
>>         requests. As usual.
>>
>>         To my regret, I can not order all of its users to abandon the
>>         use of
>>         Windows. So far, in my infrastructure have machines with
>>         Windows XP.
>>
>>         With this nothing can be done, it is necessary only to weaken the
>>         security - for the sake of compatibility.
>>         >
>>         >
>>         > Amos
>>         > _______________________________________________
>>         > squid-users mailing list
>>         > squid-users at lists.squid-cache.org
>>         <mailto:squid-users at lists.squid-cache.org>
>>         > http://lists.squid-cache.org/listinfo/squid-users
>>
>>         -----BEGIN PGP SIGNATURE-----
>>         Version: GnuPG v2
>>
>>         iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
>>         yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
>>         OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
>>         0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
>>         3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
>>         Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
>>         =8BTp
>>         -----END PGP SIGNATURE-----
>>
>>
>>         _______________________________________________
>>         squid-users mailing list
>>         squid-users at lists.squid-cache.org
>>         <mailto:squid-users at lists.squid-cache.org>
>>         http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160627/220b7033/attachment-0001.html>


More information about the squid-users mailing list