Re: Skype Issues

Yuri <yvoinov@xxxxxxxxx> · Mon, 27 Jun 2016 20:29:46 +0600



    Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not
      supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be
      confuse software. I.e., you use custom ciphers/protocols
      combinations, which can lead issue.

    
    27.06.2016 20:25, Renato Jop пишет:

    
        Thank you both for your valuable help.

        
        I've configured the tls-dh param with a strong Diffie-Hellman
        group (2048 bits) and configured the cipher as Yuri specified
        and I was able to get pass the unknown cipher, however now I get
        a "SSL routines:SSL3_GET_RECORD:wrong version number". Here's
        the configuration I changed:

 cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
        dhparams=/etc/dh-parameters.2048
        options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
        tls-dh=/usr/local/etc/squid/dhparams.pem

        
          Renato
            Jop

          
        On Sat, Jun 25, 2016 at 11:34 AM, Yuri
          Voinov <yvoinov@xxxxxxxxx>
          wrote:

          
              -----BEGIN PGP SIGNED MESSAGE-----

              Hash: SHA256

              
            25.06.2016 23:09, Amos Jeffries
            пишет:

            > On 26/06/2016 4:32 a.m., Yuri Voinov
              wrote:

              >>

              >> Amos, you are a wrong.

              >>

              >> No Squid-4. It's unstable and not ready for
              production. Whenever it's

              >> features.

              >

              > So some beta software has bugs therefore nobody
              should ever use it for

              > anything. I find that to be a strange and sad view of
              the world.

              >

              > Care to guess why I listed it as the last option
              amongst several?

              >  Or why 4.0.11 exists as a beta still?

              > It *is* an option for the mentioned problem(s) though
              whatever its

              utility.

            Agreed.

            >

              >

              >

              >>

              >> Some time ago I have the same issue and know what
              happens exactly.

              >>

              >> Skype initial connection site uses RC4 cipher.
              Which is disabled in most

              >> squid's configuration.

              >

              > Your "know what happens exactly" differs from at
              least two other peoples

              > debugging experiences with Skype.

              >

              > RC4 is on the hitlist for most of the big vendors for
              the past year or

              > so. IIRC there were several Windows Updates to remove
              it and other

              > broken bits from a lot of things over the past year.

              > If Skype is still using RC4 it might be part of this
              problem.

            I'm sure this is problem and this problem exists. MS
            do nothing to make

            they sites/services more secure. BTW, MS Updates uses RC4
            ciphers itself

            this time. With strong siphers there is no way to setup WU
            via Squid.

            I've spent much time to identify this problem in my setup
            and find

            working workaround.

            
            Another part of problem is: MS often uses it's own
            self-signed roots,

            which is exists in Windows, but nowhere else. And which has
            not

            cross-signed by well-known root CA's. They think it make MS
            services

            more secure. They wrong. But we can't do anything with it.
            So, this is

            forced us to add self-signed MS roots to our Squid's CA
            bundles to

            bump/splice.

            >

              >

              >>

              >> To make it works (as by as most M$ update sites)
              it's require simple use

              >> this cipher's suite:

              >>

              >>
              HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS

              >>

              >> That works for me in 5 SSL bumped setups. There
              is no matter which squid

              >> version installed.

              >

              > Thank you. Thats another option then. I'd rate that
              below trying the EC

              > ciphers, and above library updates.

            You are welcome.

            
            Just for information: MS has own IT infrastructure, with
            some strange

            configured and non well-managed elements. I can't guarantee
            this

            workaround will work everywhere or for every MS service.

            
            When I made my research, I've seen some strange security TLS

            combinations on MS sites/services. I.e., for example,
            RC4+ECDSA+TLSv1.2.

            Or, for example, RC4+MD5+TLSv1. And some similar. Very
            idiotic and

            potentially dangerous combinations. And - they support
            ignores all

            requests. As usual.

            
            To my regret, I can not order all of its users to abandon
            the use of

            Windows. So far, in my infrastructure have machines with
            Windows XP.

            
            With this nothing can be done, it is necessary only to
            weaken the

            security - for the sake of compatibility.

            >

              >

              > Amos

              > _______________________________________________

              > squid-users mailing list

              > squid-users@xxxxxxxxxxxxxxxxxxxxx

              > http://lists.squid-cache.org/listinfo/squid-users

              
            -----BEGIN PGP SIGNATURE-----

              Version: GnuPG v2

              
            iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z

yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW

OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS

0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK

3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF

Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=

            =8BTp

            -----END PGP SIGNATURE-----

            
            _______________________________________________

            squid-users mailing list

            squid-users@xxxxxxxxxxxxxxxxxxxxx

            http://lists.squid-cache.org/listinfo/squid-users

            
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users