[squid-users] SSL errors with Squid 3.5.27
Julian Perconti
vh1988 at yahoo.com.ar
Fri Jun 8 23:15:31 UTC 2018
Hello community, I am new to the list and, I hope everyone is well.
I have running a squid server on debian 7.
My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to
problems with Dropbox. After compiling squid with LibreSSL, the error
"unknown cipher returned" has disappeared and dropbox worked correctly.
Everything works quite well, except that in /var/log/squid/cache.log there
are 5 types of problems (at least):
[1] 2018/06/08 17:14:05 kid1| Error negotiating SSL connection on FD 7:
error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca (1/0)
[2] 2018/06/08 17:14:39 kid1| Error negotiating SSL on FD 11:
error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed
(1/-1/0)
[3] 2018/06/08 18:35:43 kid1| Error negotiating SSL connection on FD 10:
(104) Connection reset by peer
[4] 2018/06/08 18:56:52 kid1| Error negotiating SSL on FD 13:
error:00000000:lib(0):func(0):reason(0) (5/-1/104)
[5] 2018/06/08 19:20:06 kid1| Error negotiating SSL connection on FD 9:
error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt (1/-1)
However I think (I'm not sure but ...), that the most serious is the number
[2]:
SSL negotiating error on FD 11: error: 14007086: SSL routines:
CONNECT_CR_CERT:certificate verify failed (1/-1/0)
The problem I have it with WhatsApp from mobile devices ... the application
tries to connect to the network indefinitely without success, and the error
that appears (at that moment) is [2]: (...) certificate verify failed
(1/-1/0)
This is the most relevant configuration of squid currently:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump \
cert=/etc/squid/ssl_cert/squidCA.pem \
key=/etc/squid/ssl_cert/squidCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
tls-dh=/etc/squid/ssl_cert/dhparam.pem
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /etc/squid/ssl_cert/cert.pem # LibreSSL SLL CA Bundle
sslproxy_foreign_intermediate_certs /etc/squid/ssl_cert/intermediate.pem
sslproxy_options SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:E
ECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!
aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump stare step2 all
ssl_bump bump step3 all
(...)
In the file "/etc/squid/url.nobump", I have expressions like these:
(...)
# IM
\.skype\.com$
\.whatsapp\.com$
\.whatsapp\.net$
(...)
I have read whatsapp, facebook, and many others servers use "Certificate
Pinning" to avoid "Man-in-the-middle" attacks.
But I can not find any solution/fix or workaround.
The server certificate is installed on mobile devices. The flaw occurs with
both Android and iOS devices.
Any kind of suggestion is welcome; both if there is something wrong in the
configuration written above, or better yet if someone knows the cause and
solution of this problem.
Thank you very much to all!
More information about the squid-users
mailing list