[squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo

Loučanský Lukáš Loucansky.Lukas at kjj.cz
Wed Jun 17 09:29:54 UTC 2020


Found this:

2020/06/17 08:06:31.292 kid2| 24,7| BinaryTokenizer.cc(74) got: SupportedVersions.octets= caca0304030303020301 occupying 10 bytes @1 in 0x7ffd9ba4a0b0.
0x0301 - 0x0304 -> TLS versions to TLS1.3

0xcaca = non-existent

(a few lines further:)
BinaryTokenizer.cc(65) got: supported_version.major=202 occupying 1 bytes @0 in 0x7ffd9ba4a0f0. 

Note 0xCA = 202 dec

Another examples:
2020/06/17 08:06:31.312 kid1| 24,7| BinaryTokenizer.cc(74) got: SupportedVersions.octets= 3a3a0304030303020301 occupying 10 bytes @1 in 0x7ffe348a1f30.

2020/06/17 08:06:31.312 kid1| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=58 occupying 1 bytes @0 in 0x7ffe348a1f70.

Note 0x3A = 58 dec

2020/06/17 08:06:31.324 kid1| 24,7| BinaryTokenizer.cc(74) got: SupportedVersions.octets= aaaa0304030303020301 occupying 10 bytes @1 in 0x7ffe348a1f30.
2020/06/17 08:06:31.324 kid1| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=170 occupying 1 bytes @1 in 0x7ffe348a1f70.

Note 0xAA = 170 dec


So - I think this is a) badly pased string in /parser/BinaryTokenizer.cc (not likely), or b) in /security/HandShake.cc (line 526 and beyond)
Security::HandShakeParser does not ignore obviously nonse version

What I see is - that it calls tokenizer to get tkVersions, then asks ParseProtocolVersion to check it. I think that code ParseProtocolVersion checks for version 0.2 OR expects version 3.x - but gets versions 202 or 58 etc.

It seems logical to my limited knowledge to check for and ignore uknown versions (GREASed????). I think this is the while statement involved

while (!tkVersions.atEnd()) {
            const auto version = ParseProtocolVersion(tkVersions, "supported_version");
            if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
                supportedVersionMax = version;
        }

It calls parser - according to
2020/06/17 08:06:31.312 kid1| 0,3| Handshake.cc(119) ParseProtocolVersion: check failed: vMajor == 3    exception location: Handshake.cc(119) ParseProtocolVersion

It fails while calling it - so the check must be before calling ParseProtocolVersion or while in it - there is statement Must(vMajor==3) on line 119 - so I think this is the breakpoint call. Would simple if (vMajor <= 3)... Statement be  sufficient? What value it should return in case of non-parsable version? Sure not any value or some arbitrary value such as TLS1.something or SSLv3 ... It goes through SSLv2 to SSLv3 (implies vMajor = 3) and for versions >3.0 returns TLS1.vMinor-1 (???). So what it should do if it's called with version 0xCACA or 0x3A3A - I think that there should be check in the mentioned while statement - but it involves parsing major and minor version. This already does ParseProtocolVersion. But I think the goal of this is to find the max supported TLS version - so it should not fail on non-existent versions. So I think the mentioned while statement should sort this out, not calling parser to ask for TLS version for "random" numbers.

LL



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Loučanský Lukáš
Sent: Wednesday, June 17, 2020 9:11 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] SQUID 4.12 (Debian 10,OpenSSL 1.1.1d) - SSL bump no server helllo


> That is somewhat useful. TLS version being received is not valid.

Ok - although this is squid users phorum - this could be even more useful:

Firefox - http://download.kjj.cz/pub/ssl/firefox.txt it goes throught everything to the GET / HTTP/1.1 request

Chrome - http://download.kjj.cz/pub/ssl/chrome.txt - it goes from
2020/06/17 08:06:31.292 kid1| 93,7| HttpRequest.cc(63) ~HttpRequest: destructed, this=0x55e730f38e50
2020/06/17 08:06:31.292 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=202 occupying 1 bytes @0 in 0x7ffd9ba4a0f0.
2020/06/17 08:06:31.292 kid1| 24,8| SBuf.cc(70) ~SBuf: SBuf71215602 destructed
2020/06/17 08:06:31.292 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=202 occupying 1 bytes @1 in 0x7ffd9ba4a0f0.
2020/06/17 08:06:31.292 kid1| 24,8| SBuf.cc(70) ~SBuf: SBuf71215601 destructed

to
2020/06/17 08:06:31.292 kid2| 0,3| Handshake.cc(119) ParseProtocolVersion: check failed: vMajor == 3
    exception location: Handshake.cc(119) ParseProtocolVersion

It is not working in all chrome based browsers - Edge, Opera... It is working in the MSIE and FF

LL

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list