[squid-users] Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson jfhasson at club-internet.fr
Sun Jan 3 18:15:00 UTC 2021


Hi,

After reading more information on this kind of error I captured a few 
transactions with Wireshark running on the raspberry pi hosting squid 
4.6 and opensll 1.1.1d. I captured some transactions when trying to 
access ebay.fr which is currently not successful with the setup I have 
with the error of inappropriate fallback mentioned below.

I am not familiar with TLS transactions so I will try to present a high 
level view of the transactions between the raspberry pi and the ebay.fr 
server. I hope you can guide me as to what I should focus on to 
understand, if possible, the issue I have.

A bird's eye view of the transactions from Wireshark over time is :

      23 0.175795327    192.168.1.32 192.168.1.1           DNS      
71     Standard query 0x057e A www.ebay.fr
      24 0.214678299    192.168.1.1           192.168.1.32 DNS      
165    Standard query response 0x057e A www.ebay.fr CNAME 
slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A 23.57.6.166
      25 0.301067317    192.168.1.32          23.57.6.166 TCP      
74     53934 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186690 TSecr=0 WS=128
      26 0.302488046    192.168.1.32          23.57.6.166 TCP      
74     53936 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186691 TSecr=0 WS=128
      27 0.328959454    23.57.6.166           192.168.1.32 TCP      
74     443 → 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 
SACK_PERM=1 TSval=3470404062 TSecr=365186690 WS=128
      28 0.329115340    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718 
TSecr=3470404062
      29 0.329752684    192.168.1.32          23.57.6.166 TLSv1.2  
583    Client Hello
      30 0.330530288    23.57.6.166           192.168.1.32 TCP      
74     443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 
SACK_PERM=1 TSval=3470404064 TSecr=365186691 WS=128
      31 0.330644819    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719 
TSecr=3470404064
      32 0.331192579    192.168.1.32          23.57.6.166 TLSv1.2  
583    Client Hello
      35 0.351054404    192.168.1.32          192.168.1.98 TCP      
54     5900 → 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0
      36 0.363323884    23.57.6.166           192.168.1.32 TCP      
66     443 → 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096 
TSecr=365186719
      37 0.364291801    23.57.6.166           192.168.1.32 TLSv1.2  
1514   Server Hello
      38 0.364347270    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 
TSval=365186753 TSecr=3470404096
      39 0.365482999    23.57.6.166           192.168.1.32 TCP      
1514   443 → 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
      40 0.365535030    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 
TSval=365186754 TSecr=3470404096
      41 0.366217999    23.57.6.166           192.168.1.32 TCP      
1266   443 → 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
      42 0.366279041    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 
TSval=365186755 TSecr=3470404096
      43 0.366321697    23.57.6.166           192.168.1.32 TCP      
74     [TCP Retransmission] 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 
Len=0 MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128
      44 0.366410135    192.168.1.32          23.57.6.166 TCP      
66     [TCP Dup ACK 31#1] 53936 → 443 [ACK] Seq=518 Ack=1 Win=64256 
Len=0 TSval=365186755 TSecr=3470404064
      45 0.366709770    23.57.6.166           192.168.1.32 TLSv1.2  
991    Certificate, Certificate Status, Server Key Exchange, Server 
Hello Done
      46 0.366754978    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186756 TSecr=3470404097
      47 0.369138676    23.57.6.166           192.168.1.32 TCP      
66     443 → 53936 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404102 
TSecr=365186720
      48 0.370432739    23.57.6.166           192.168.1.32 TLSv1.2  
1514   Server Hello
      49 0.370506906    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 
TSval=365186759 TSecr=3470404102
      50 0.371401125    23.57.6.166           192.168.1.32 TCP      
1514   443 → 53936 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 
TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
      51 0.371449250    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 
TSval=365186760 TSecr=3470404102
      52 0.372385968    23.57.6.166           192.168.1.32 TCP      
1266   443 → 53936 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 
TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
      53 0.372438156    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 
TSval=365186761 TSecr=3470404102
      54 0.372859562    23.57.6.166           192.168.1.32 TLSv1.2  
991    Certificate, Certificate Status, Server Key Exchange, Server 
Hello Done
      55 0.372905395    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186762 TSecr=3470404103
      56 0.374064614    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186763 TSecr=3470404097
      57 0.382856646    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186772 TSecr=3470404103
      58 0.387044251    192.168.1.32          23.57.6.166 TCP      
74     53938 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186776 TSecr=0 WS=128
      59 0.401877325    192.168.1.32          23.57.6.166 TCP      
74     53940 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186791 TSecr=0 WS=128
      60 0.402472117    23.57.6.166           192.168.1.32 TCP      
66     443 → 53934 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 
TSval=3470404136 TSecr=365186763
      61 0.402574981    192.168.1.32          23.57.6.166 TCP      
66     53934 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0 
TSval=365186791 TSecr=3470404136
      62 0.410122326    23.57.6.166           192.168.1.32 TCP      
66     443 → 53936 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 
TSval=3470404143 TSecr=365186772
      63 0.410185971    192.168.1.32          23.57.6.166 TCP      
66     53936 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0 
TSval=365186799 TSecr=3470404143
      64 0.415533941    23.57.6.166           192.168.1.32 TCP      
74     443 → 53938 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 
SACK_PERM=1 TSval=3470404148 TSecr=365186776 WS=128
      65 0.415615607    192.168.1.32          23.57.6.166 TCP      
66     53938 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186804 
TSecr=3470404148
      66 0.416199514    192.168.1.32          23.57.6.166 TLSv1.2  
583    Client Hello
      67 0.429629098    23.57.6.166           192.168.1.32 TCP      
74     443 → 53940 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 
SACK_PERM=1 TSval=3470404163 TSecr=365186791 WS=128
      68 0.429722796    192.168.1.32          23.57.6.166 TCP      
66     53940 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186819 
TSecr=3470404163
      69 0.430195036    192.168.1.32          23.57.6.166 TLSv1.2  
583    Client Hello
      70 0.449937225    23.57.6.166           192.168.1.32 TCP      
66     443 → 53938 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404182 
TSecr=365186805
      71 0.451000037    23.57.6.166           192.168.1.32 TLSv1.2  
1514   Server Hello
      72 0.451064100    192.168.1.32          23.57.6.166 TCP      
66     53938 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 
TSval=365186840 TSecr=3470404183
      73 0.451980194    23.57.6.166           192.168.1.32 TCP      
1514   443 → 53938 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 
TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
      74 0.452031756    192.168.1.32          23.57.6.166 TCP      
66     53938 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 
TSval=365186841 TSecr=3470404183
      75 0.452935767    23.57.6.166           192.168.1.32 TCP      
1266   443 → 53938 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 
TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
      76 0.452991027    192.168.1.32          23.57.6.166 TCP      
66     53938 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 
TSval=365186842 TSecr=3470404183
      77 0.453443475    23.57.6.166           192.168.1.32 TLSv1.2  
991    Certificate, Certificate Status, Server Key Exchange, Server 
Hello Done
      78 0.453498215    192.168.1.32          23.57.6.166 TCP      
66     53938 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186842 TSecr=3470404184
      79 0.461625715    192.168.1.32          23.57.6.166 TCP      
66     53938 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186850 TSecr=3470404184
      80 0.463463320    23.57.6.166           192.168.1.32 TCP      
66     443 → 53940 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404196 
TSecr=365186819
      81 0.464344413    23.57.6.166           192.168.1.32 TLSv1.2  
1514   Server Hello
      82 0.464433476    192.168.1.32          23.57.6.166 TCP      
66     53940 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 
TSval=365186853 TSecr=3470404197
      83 0.465538632    23.57.6.166           192.168.1.32 TCP      
1514   443 → 53940 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 
TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
      84 0.465628789    192.168.1.32          23.57.6.166 TCP      
66     53940 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 
TSval=365186854 TSecr=3470404197
      85 0.466298945    23.57.6.166           192.168.1.32 TCP      
1266   443 → 53940 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 
TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
      86 0.466437851    192.168.1.32          23.57.6.166 TCP      
66     53940 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 
TSval=365186855 TSecr=3470404197
      87 0.467042591    23.57.6.166           192.168.1.32 TLSv1.2  
991    Certificate, Certificate Status, Server Key Exchange, Server 
Hello Done
      88 0.467190976    192.168.1.32          23.57.6.166 TCP      
66     53940 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 
TSval=365186856 TSecr=3470404197

I start my description with a Client Hello step from the raspberry pi to 
the ebay.fr server :

    No.     Time           Source Destination           Protocol Length Info
          29 0.329752684    192.168.1.32 23.57.6.166           TLSv1.2 
    583    Client Hello

    ...

    Transport Layer Security
         TLSv1.2 Record Layer: Handshake Protocol: Client Hello
             Content Type: Handshake (22)
             Version: TLS 1.0 (0x0301)
             Length: 512
             Handshake Protocol: Client Hello
                 Handshake Type: Client Hello (1)
                 Length: 508
                 Version: TLS 1.2 (0x0303)

Then, there is another Client Hello step which seems quite similar to 
the previous one :

    No.     Time           Source Destination           Protocol Length Info
          32 0.331192579    192.168.1.32 23.57.6.166           TLSv1.2 
    583    Client Hello

    ...

    Transport Layer Security
         TLSv1.2 Record Layer: Handshake Protocol: Client Hello
             Content Type: Handshake (22)
             Version: TLS 1.0 (0x0301)
             Length: 512
             Handshake Protocol: Client Hello
                 Handshake Type: Client Hello (1)
                 Length: 508
                 Version: TLS 1.2 (0x0303)

Then a Server Hello :

    No.     Time           Source Destination           Protocol Length Info
          37 0.364291801    23.57.6.166 192.168.1.32          TLSv1.2 
    1514   Server Hello

    ...

    Transport Layer Security
         TLSv1.2 Record Layer: Handshake Protocol: Server Hello
             Content Type: Handshake (22)
             Version: TLS 1.2 (0x0303)
             Length: 78
             Handshake Protocol: Server Hello
                 Handshake Type: Server Hello (2)
                 Length: 74
                 Version: TLS 1.2 (0x0303)

                 Random:
    08f25b54bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
                     GMT Unix Time: Oct  4, 1974 08:40:20.000000000
    Paris, Madrid (heure d’été)
                     Random Bytes:
    bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
                 Session ID Length: 0
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (0xc02f)

    ...

So it seems the server found a common cipher with the client. I am not 
sure then what to look for. Frames 43 and 44 are detected by Wireshark 
as retransmissions but I am not sure it is a problem.

I noticed frame 45 which is about the Certificate, Certificate Status, 
Server Key Exchange and Server Hello Done

    No.     Time           Source Destination           Protocol Length Info
          45 0.366709770    23.57.6.166 192.168.1.32          TLSv1.2 
    991    Certificate, Certificate Status, Server Key Exchange, Server
    Hello Done

    Transport Layer Security
         TLSv1.2 Record Layer: Handshake Protocol: Certificate
             Content Type: Handshake (22)
             Version: TLS 1.2 (0x0303)
             Length: 4102
             Handshake Protocol: Certificate
                 Handshake Type: Certificate (11)
          ...
    Transport Layer Security
         TLSv1.2 Record Layer: Handshake Protocol: Certificate Status
             Content Type: Handshake (22)
             Version: TLS 1.2 (0x0303)
             Length: 479
             Handshake Protocol: Certificate Status
                 Handshake Type: Certificate Status (22)
                 Length: 475
                 Certificate Status Type: OCSP (1)
                 OCSP Response Length: 471
                 OCSP Response
    ...
         TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
             Content Type: Handshake (22)
             Version: TLS 1.2 (0x0303)
             Length: 333
             Handshake Protocol: Server Key Exchange
                 Handshake Type: Server Key Exchange (12)
                 Length: 329
                 EC Diffie-Hellman Server Params
    ...
         TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
             Content Type: Handshake (22)
             Version: TLS 1.2 (0x0303)
             Length: 4
             Handshake Protocol: Server Hello Done
                 Handshake Type: Server Hello Done (14)
                 Length: 0

    ...

I noticed there is a mention of Diffie-Hellman which may require some 
attention but I am not sure.

I am sorry for all this information but I really look forward to knowing 
more and managing to sort this issue out. Is there anything in this 
information that is relevant to understanding the issue I have ? Where 
should I focus ?

Best regards,

JF

Le 02/01/2021 à 11:26, jean francois hasson a écrit :
>
> Hi,
>
> Thank you Amos Jeffries and Antony Stone. It seems the configuration I 
> have provides the functionality of filtering I am looking for.
>
> There is a strange behavior I can see when accessing some legitimate 
> sites which I see traces of in cache.log :
>
>     2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20
>     'squidGuard' processes
>     2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39:
>     error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
>     inappropriate fallback (1/-1/0)
>     2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD
>     38: error:00000001:lib(0):func(0):reason(1) (1/-1)
>     2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38:
>     error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
>     inappropriate fallback (1/-1/0)
>     2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD
>     35: error:00000001:lib(0):func(0):reason(1) (1/-1)
>     2021/01/02 10:57:40 kid1| Starting new redirector helpers...
>     2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20
>     'squidGuard' processes
>     2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51:
>     error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
>     inappropriate fallback (1/-1/0)
>     2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD
>     40: error:00000001:lib(0):func(0):reason(1) (1/-1)
>     2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51:
>     error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
>     inappropriate fallback (1/-1/0)
>     2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD
>     40: error:00000001:lib(0):func(0):reason(1) (1/-1)
>
> I noticed other users of squid encountered similar issues but I did 
> not find a clear answer to the issue. Is there a problem with my setup 
> ? I am not sure to be able to solve it on my own ! Any help would be 
> appreciated.
>
> Best regards,
>
> JF Hasson
>
> Le 31/12/2020 à 10:14, Antony Stone a écrit :
>> On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:
>>
>>> If I set up on a device connected to the access point a proxy manually
>>> ie 10.3.141.1 on port 8080, I can access the internet. If I put the
>>> following rules for iptables to use in files rules.v4 :
>>>
>>> *nat
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
>>> 10.3.141.1:3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
>>> 10.3.141.1:3129
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
>>> -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
>> Try removing the DNAT rules above.  You should be using REDIRECT for intercept
>> mode to work correctly.
>>
>>
>> Antony.
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210103/edcce258/attachment-0001.htm>


More information about the squid-users mailing list