Search squid archive

Re: SSLBump SSL error (FAO Henrik)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Henrik,

Strangely s_client without any additional parameters seems to work:

OpenSSL> s_client -connect applyonline.abbeynational.co.uk:443
CONNECTED(00000003)
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=GB/ST=Buckinghamshire/L=Milton Keynes/O=GRUPO SANTANDER/OU=IT Security Operations/CN=applyonline.abbeynational.co.uk i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFoDCCBIigAwIBAgIQTjHebyXhySJF0PmYv7PGHTANBgkqhkiG9w0BAQUFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
DTExMDIxODAwMDAwMFoXDTEyMDIyNTIzNTk1OVowgaQxCzAJBgNVBAYTAkdCMRgw
FgYDVQQIEw9CdWNraW5naGFtc2hpcmUxFjAUBgNVBAcUDU1pbHRvbiBLZXluZXMx
GDAWBgNVBAoUD0dSVVBPIFNBTlRBTkRFUjEfMB0GA1UECxQWSVQgU2VjdXJpdHkg
T3BlcmF0aW9uczEoMCYGA1UEAxQfYXBwbHlvbmxpbmUuYWJiZXluYXRpb25hbC5j
by51azCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAaUp4WbQ0wQ2w0vAV
rSCIeH7e+C3TN9Fx2BLlndEYvDRYWyt44hSkYidrkppqiGMC9WCfRFd7HVqlKxey
6yZzNIV4vEHnvs62NPQcN9Fq3+FVONd6eBl83nY7GG2OUpYQoDkiVYu9XbdHy75Z
C5YAvnJqE+b1eHCeIu06kGdE0fK9j+FUsbyeS/MaP77M/ymPsKhr9N4LWlQdtlnn
g0/U32jq8IwZ73XcLLTtRe7ScpkOkgYyhwFrfSdaCM/kygrfJahUzur1rq438J8b
FwakDBH/p4opnCCCP3UCjSw7drtIlKi7Z3lQ+xkYmSICKiPhLtchsyWFRBrVe36r
72po1QIDAQABo4IBszCCAa8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQQYDVR0f
BDowODA2oDSgMoYwaHR0cDovL1NWUkludGwtRzMtY3JsLnZlcmlzaWduLmNvbS9T
VlJJbnRsRzMuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAoBgNVHSUEITAfBglg
hkgBhvhCBAEGCCsGAQUFBwMBBggrBgEFBQcDAjByBggrBgEFBQcBAQRmMGQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYw
aHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2Vy
MG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4D
AhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWdu
LmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAVTT7cczhZ0mVVRHn
4pLe4780UCOIlXDyABI23B1XdZBm6fUcVB+JKPKpD6J31iSXnWuHdb6sjMLfzq45
1XFZ/v6wB2cvK2KMeAvedDp+1/R2HoCjrPPOFS42HEFks7kQ2/xaV2gHYOVnoG/V
RwvT94vtI1xUZAs87QxLUtvGcedcQnHyCmt3Wp5xTll7/czrYSLZFuELfPeckQ4v
ZI0XuWn1uwVURn7pfpK62044Zg6Zwz9gsicHbHavgUZds+dKSLKPPzV4ElJT9kzJ
E1lWAUgpMppmYJdJxJUJ5nOAi5P355Mp/TAsj2BU/QSzxodwvE0vW7+TBb5b9nrj
gZCdzQ==
-----END CERTIFICATE-----
subject=/C=GB/ST=Buckinghamshire/L=Milton Keynes/O=GRUPO SANTANDER/OU=IT Security Operations/CN=applyonline.abbeynational.co.uk issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 
---
No client certificate CA names sent
---
SSL handshake has read 4982 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2047 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
Session-ID: 000177046B41D09E52DF67FAA4754DF1EB8B407B585858584F3A4D790000004B 
    Session-ID-ctx:
Master-Key: 0F3544CC04C7858B318C0C80BA75EFE6DFF8DE5D20704FFB0E6F4C1A73FC748B15AD3FF40B3AD67578E722E824FFC0FE 
    Key-Arg   : None
    Start Time: 1329220786
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

Unless that verify return code is a problem?


I really don't know where to go from here...

Thanks

Alex


On 12/02/12 11:57, Henrik Nordström wrote:

lör 2012-02-11 klockan 10:34 +0000 skrev Alex Crow:


Henrik,

I have tried adding the line "sslproxy_cipher ALL:!COMPLEMENTOFDEFAULT"
instead of specifying it in the http_port line.

It's still failing negotiation on the abbeynational request.

Any help would be much appreciated.

Try playing with openssl s_client until you find settings that the
server accepts.

That's how I found the cipher setting that works for me.

Then use this in sslproxy_cipher directive in Squid to tell Squid what
it should use.

Note: http_port is the wrong place. This controls the ciphers used
towards clients only.

Regards
Henrik
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux