Hi Marcus and Amos, Thank you for the clarification. In my case that I am using fake connect (interception proxy), there must be a way on how to exclude skype on SSL Bumping. I tried to exclude browser ^skype user agent as discussed with squid wiki and still doesn't work. Also, I tried to exclude almost all sites on SSL bump and Skype still can't connect. As I said earlier my firewall blocks everything except web (80 & 443) , dns. My firewall is also intercepting 443 and 80 via wccp 70 and web-cache redirect by Cisco that's why Skype will always be intercepted by Squid. I'm wondering if there's someone who successfully allowed Skype to fake CONNECT to squid (I'm referring to interception not explicit proxying). I cannot fully implement https interception until I find a solution to properly intercept Skype. Many thanks in advance for all the help. Jay On Sat, May 3, 2014 at 3:02 AM, Marcus Kool <marcus.kool@xxxxxxxxxxxxxxx> wrote: > > > On 05/02/2014 08:21 AM, Jay Jimenez wrote: >> >> Hi Amos, >> >> Thank you for the response. >> >> Any advice of how would I know exactly what SSL/TLS version skype is >> using and how do I enable those versions to my squid box? > > > It has been a while since I investigated Skype but my findings at that time > were that Skype does not use SSL. > Instead, it does a CONNECT and wants a tunnel through Squid but the > SSL bumping only works if the web servers talk SSL+HTTP (HTTPS). > In short, SSL bumping does not work for Skype. > > Marcus > > > >> What are changes in 3.4.5 in terms of ssl bumping? Would it help me on >> my existing transparent setup to resolve my skype issue? >> >> >> Thanks, >> Jay >> >> >> >> >> >> >> On Fri, May 2, 2014 at 6:57 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> On 2/05/2014 10:34 p.m., Jay Jimenez wrote: >>>> >>>> Hi, >>>> >>>> I have squid setup that is currently doing transparent SSL >>>> interception. Almost all websites work flawlessly like >>>> https://facebook.com, gmail, banking websites etc. However, when >>>> intercepting SKYPE I've got the following error on my cache.log >>>> >>>> >>>> 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL >>>> connection on FD 166: error:1408F10B:SSL >>>> routines:SSL3_GET_RECORD:wrong version number (1/-1) >>>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL >>>> connection on FD 155: error:1408F10B:SSL >>>> routines:SSL3_GET_RECORD:wrong version number (1/-1) >>>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL >>>> connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong >>>> version number (1/-1) >>> >>> >>> This means the SSL/TLS version being requested by the client is not >>> supported by your proxy. >>> >>> For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and >>> your proxy or OpenSSL library is configured to disable those insecure >>> versions. >>> >>> NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only >>> supported versions in software as the older protocols are vulnerable to >>> the BEAST and CRIME attacks. >>> >>> FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which >>> also may be involved with this. >>> >>> >>>> 2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL >>>> connection on FD 34: error:1408F10B:SSL >>>> >>>> >>>> My Setup: >>>> >>>> Our firewall only allows ports 80 and 443 and some business ports >>>> that's why Skype will always be redirected by our WCCP router to the >>>> squid box. >>>> >>>> My openssl version is OpenSSL 1.0.1e 11 Feb 2013 >>> >>> >>> I hope you have patched that for the Heartbeat vulnerability. >>> >>> NOTE: Squid is not particularly suceptible to Heartbeat due to our >>> memory pooling feature but there is still some leakage and other >>> software on the machine will be vulnerable. >>> >>>> >>>> My squid version is 3.4. I also tried different Squid versions but >>>> failed. >>>> >>> >>> >>> >>> Amos >> >> >> >
