[squid-users] Peeking on TLS traffic: unknown cipher returned

James Lay jlay at slave-tothe-box.net
Fri Oct 21 16:01:52 UTC 2016 

On 2016-10-21 09:58, Leandro Barragan wrote:
> James, thanks for your advice! I've read your email on this list about
> LibreSSL. I tried to compile Squid with LibreSSL in the first place
> because of what you wrote about ChaCha20. But unfortunately, I
> couldn't, compilation stopped because of some obscure error.
> 
> Do you remember what version of squid and libressl you used? BTW I
> tried with OpenSSL 1.0.2g applying the CloudFare ChaCha20 patch, but
> it doesn't work either, same error (unknown cipher)
> 
> Thanks!
> 
> On 21 October 2016 at 10:55, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>> On 2016-10-20 20:15, Leandro Barragan wrote:
>>> 
>>> Thanks for your time Alex! I modified my original config based on 
>>> Amos
>>> recommendations, so I think now I have a more consistent peek & 
>>> splice
>>> config:
>>> 
>>>  acl TF ssl::server_name_regex -i facebook fbcdn twitter reddit
>>>  ssl_bump peek all
>>>  ssl_bump terminate TF
>>>  ssl_bump splice all
>>> 
>>> As you mentioned, terminate closes the connection, it doesn't serve 
>>> an
>>> error page (when it works, i.e. with reddit and twitter).
>>> 
>>> I've compiled Squid 3.5.22 using OpenSSL 1.0.2j and I'm having the
>>> same exact issue, even with this new config. Based on what you
>>> explained, I think it's a OpenSSL problem and Squid can't do anything
>>> about it. I have two reasons to believe that:
>>> 
>>> 1) The "unknown cipher returned" error get's triggered on terminated
>>> and non terminated (e.g. microsoft.com) sites, which makes me think 
>>> it
>>> has nothing to do with Squid ACLs.
>>> 2) All problematic sites use a new cipher called "ChaCha20" (E.g.
>>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256....according to Qualys
>>> online analyzer and TestSSLServer tool)
>>> 
>>> A lot of sites are using this new cipher. I'm back at the beginning, 
>>> I
>>> will continue trying to compile Squid with patched versions of 
>>> OpenSSL
>>> or LibreSSL.
>>> 
>>> Thanks!
>>> 
>>> On 20 October 2016 at 01:01, Alex Rousskov
>>> <rousskov at measurement-factory.com> wrote:
>>>> 
>>>> On 10/19/2016 12:44 AM, Leandro Barragan wrote:
>>>> 
>>>>>> error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher
>>>>>> returned (1/-1/0)
>>>> 
>>>> 
>>>>> I fail to see why is this happening. I only need to peek on the
>>>>> connection and make a decision based on SNI,
>>>> 
>>>> 
>>>> Please note that "peek and make a decision based on SNI" is not what
>>>> your configuration tells Squid to do. Your configuration tells Squid 
>>>> to
>>>> peek during step2, which means making a decision based on server
>>>> certificates (and SNI).
>>>> 
>>>> 
>>>>> I'm not Bumping, so I
>>>>> don't understand why ciphers matter in my situation.
>>>> 
>>>> 
>>>> The ciphers matter because Squid v3 uses OpenSSL parsers during 
>>>> step1,
>>>> step2, and step3. FWIW, Squid v4 uses OpenSSL parsers during step2 
>>>> (a
>>>> little) and step3. It is possible to completely remove OpenSSL from
>>>> step2 but there is currently no project to do that AFAIK.
>>>> 
>>>> 
>>>>>> ssl_bump peek all step1
>>>>>> ssl_bump peek all step2
>>>>>> ssl_bump terminate face step3
>>>>>> ssl_bump terminate twitter step3
>>>>>> ssl_bump splice all step3
>>>> 
>>>> 
>>>> BTW, "step1", "step2", and "step3" ACLs do nothing useful in the 
>>>> above
>>>> config. You can safely remove them to arrive at the equivalent 
>>>> ssl_bump
>>>> configuration.
>>>> 
>>>> 
>>>> On 10/19/2016 07:42 AM, Amos Jeffries wrote:
>>>>> 
>>>>> Terminate means impersonating the server and responding to the 
>>>>> client
>>>>> with an HTTPS error page.
>>>> 
>>>> 
>>>> Terminate means "close client and server connections immediately". 
>>>> The
>>>> problem is not with the terminate action but with peeking (which 
>>>> relies
>>>> on OpenSSL, especially during step2, especially in Squid v3).
>>>> 
>>>> 
>>>> HTH,
>>>> 
>>>> Alex.
>> 
>> 
>> FWIW I've had great success with the git version of libressl and using 
>> the
>> below:
>> 
>> ./configure --prefix=/opt/libressl
>> 
>> and for squid:
>> 
>> ./configure --prefix=/opt --with-openssl=/opt/libressl --enable-ssl
>> --enable-ssl-crtd
>> 
>> James

I'm currently using squid-3.5.22 and using the below git for libressl:

commit b7ba692f72f232602efb3e720ab0510406bae69c
Author: Brent Cook <bcook at openbsd.org>
Date:   Wed Sep 14 23:40:10 2016 -0500

What's the error you're getting when you try and compile?

James

More information about the squid-users mailing list