[squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Marc gaardiolor at gmail.com
Wed Oct 5 21:17:14 UTC 2016 

Well.. it looks like the issue I'm having (subject: handshake problems
with stare and bump).

IE8 on XP sends out:

Secure Sockets Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 104
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 100
            Version: TLS 1.0 (0x0301)
            Random
                GMT Unix Time: Oct  5, 2016 22:53:22.000000000 CEST
                Random Bytes:
f1a9d796abe91c5187a2b3c7d726f02bc64a45992c92599c...
            Session ID Length: 32
            Session ID: 09f457ce0ebaea9adf703ee1c4eaf999b169da6610132dc1...
            Cipher Suites Length: 22
            Cipher Suites (11 suites)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
                Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
                Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
                Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 5
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0

Mimicing in openssl (well.. not perfect but it joes the job I guess):
openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
 < <(echo -e "GET / HTTP/1.1\nHost: https://www.google.com\n\n")
SQUID_ERR_SSL_HANDSHAKE

Like the problem in my post, IE8 on XP doesn't use much TLS
extensions. Adding a random extension, like in my post:
openssl s_client -quiet -connect www.google.com:443 -tls1 -cipher
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP1024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:DHE-DSS-DES-CBC3-SHA:DHE-DSS-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA
-serverinfo 12345 < <(echo -e "GET / HTTP/1.1\nHost:
https://www.google.com\n\n")
Succes!

Don't want to pull the bug card too quick, but well..

Marc

More information about the squid-users mailing list