On 2/05/2014 10:34 p.m., Jay Jimenez wrote: > Hi, > > I have squid setup that is currently doing transparent SSL > interception. Almost all websites work flawlessly like > https://facebook.com, gmail, banking websites etc. However, when > intercepting SKYPE I've got the following error on my cache.log > > > 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL > connection on FD 166: error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number (1/-1) > 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL > connection on FD 155: error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number (1/-1) > 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL > connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number (1/-1) This means the SSL/TLS version being requested by the client is not supported by your proxy. For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and your proxy or OpenSSL library is configured to disable those insecure versions. NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only supported versions in software as the older protocols are vulnerable to the BEAST and CRIME attacks. FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which also may be involved with this. > 2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL > connection on FD 34: error:1408F10B:SSL > > > My Setup: > > Our firewall only allows ports 80 and 443 and some business ports > that's why Skype will always be redirected by our WCCP router to the > squid box. > > My openssl version is OpenSSL 1.0.1e 11 Feb 2013 I hope you have patched that for the Heartbeat vulnerability. NOTE: Squid is not particularly suceptible to Heartbeat due to our memory pooling feature but there is still some leakage and other software on the machine will be vulnerable. > > My squid version is 3.4. I also tried different Squid versions but failed. > Amos
