[squid-users] Peeking on TLS traffic: unknown cipher returned

Leandro Barragan lean0x2f at gmail.com
Wed Oct 19 06:44:41 UTC 2016


Hi!

I'm having trouble with SSL Peek & Splice in Squid 3.5.16 using
intercept mode. I'm trying to configure a transparent proxy (no CA
installed on clients) which denies access to specific sites. I
understand that if I can't Bump (my case), then I can only use SNI
information from TLS "Client Hello" on Step 2.

Everything works OK with most sites, but when I try to connect to some
sites like facebook.com or microsoft.com, clients can't connect and I
get this error on cache.log:

> [...]
> Error negotiating SSL on FD 111: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
> [...]

Reading emails from this list, I came to the conclusion that this
error is related to new ciphers (like ChaCha20) which are not
supported by OpenSSL 1.0.1... So I tried to compile Squid using
OpenSSL 1.1.0, which is not possible (bug #4599). I also tried to
compile it using LibreSSL unsuccessfully.

I fail to see why is this happening. I only need to peek on the
connection and make a decision based on SNI, I'm not Bumping, so I
don't understand why ciphers matter in my situation.

My squid.conf:

> [...]
> acl face ssl::server_name_regex -i facebook
> acl twitter ssl::server_name_regex -i twitter
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/myCA.pem options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> sslproxy_capath /var/lib/ssl_db
>
> ssl_bump peek all step1
> ssl_bump peek all step2
> ssl_bump terminate face step3
> ssl_bump terminate twitter step3
> ssl_bump splice all step3
>
> sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 10
> sslproxy_cert_error deny all
> [...]


Any ideas would be really appreciated.

--

Leandro


More information about the squid-users mailing list