Possible SSL Bug in v3.5.13?

David Marcos <davem.business@xxxxxxxxx> · Tue, 12 Jan 2016 21:42:18 -0500

I recently upgraded to Squid v3.5.13 and am encountering at least two errors when processing certain HTTPS connections.  I am not sure if it is a bug or a configuration error on my part.
The first error I am seeing is when shutterfly.com is accessed by a user.  The issue occurs regardless of whether I splice or bump the site.  A user can browse to the page, but if they click on anything on the site, squid encounters a fault.  The system does not crash; it recovers, but the proxy is down for about 30 seconds.  Note that this occurs in regular forward proxy mode, not intercept mode.

My knowledge of SSL is somewhat limited, so I am not sure if I have misconfigured things in a way that creates the problem.  Two questions I have are (a) to apply ECDH properly, must an optional cipher be chosen for the tls-dh option? and (b) to properly apply ECDH, do I have to recreate the dhparam file using an ECDH cipher (I'm currently using the dhparam file that I previously had)?

Separate from the above (or perhaps related), the second issue I am also seeing are odd errors in the cache.log that are causing squid to fault and recover.  I am not yet sure which sites are causing the issue, but I am seeing the following error: FATAL: dying from an unhandled exception: !theConsumer.  This error seems to be consistently preceded by "Error negotiating SSL on FD 25: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)".

The prior version I was running was v3.5.12 and I know that version had no problems when accessing shutterfly.com nor the odd FATAL message I am seeing with the below configuration.

Following is more detailed info for the first problem I am encountering above with shutterfly.com.  Please let me know additional information is needed.

Cache.log extracts when accessing shutterfly.com:
--------------------------------------------------------------------

2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 91: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)
2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 98: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)
2016/01/12 22:39:59 kid1| Error negotiating SSL on FD 89: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)
2016/01/12 22:40:02 kid1| Error negotiating SSL on FD 62: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/01/12 22:40:02 kid1| Error negotiating SSL on FD 63: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 56: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)
2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 56: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)
2016/01/12 22:40:03 kid1| Error negotiating SSL on FD 58: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (1/-1/0)  

Extracts from my squid.conf file:
----------------------------------------------

http_port 127.0.0.1:3128

http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.pem tls-dh=cert.dhparam.pem

http_port 192.168.10.1:3129 intercept  disable-pmtu-discovery=transparent name=http_icept

https_port 192.168.10.1:3130 intercept  disable-pmtu-discovery=transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.pem tls-dh=cert.dhparam.pem name=https_icept

sslcrtd_program /usr/lib/squid/ssl_crtd -s /disk/dyn-certs/sslcrtd_db -M 4MB

...

ssl_bump peek SSL_Step1 !dont_peek_or_stare mynet

ssl_bump splice dont_bump_me mynet

ssl_bump bump mynet

ssl_bump terminate all

# Various SSL Proxy Config Stuff

sslproxy_cert_error allow broken_certs

sslproxy_cert_error deny all

sslproxy_cert_sign_hash sha256

sslproxy_capath /etc/ssl/certs/

sslproxy_foreign_intermediate_certs /etc/ssl/certs/

sslproxy_options No_Compression,NO_TLSv1,NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE

sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

------------------------

Thanks,

    Dave
___________________________________________________________
Dave Marcos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users