|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No, the problem in another place. This option about ICQ, not about Skype. 29.06.2016 22:58, Renato Jop пишет: > I've installed squid4 and the problems still persists. I've added the following acl: > # define what Squid errors indicate receiving non-HTTP traffic: > acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG > # define what Squid errors indicate receiving nothing: > acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT > # tunnel everything that does not look like HTTP: > on_unsupported_protocol tunnel foreignProtocol > # tunnel if we think the client waits for the server to talk first: > on_unsupported_protocol tunnel serverTalksFirstProtocol > # in all other error cases, just send an HTTP "error page" response: > on_unsupported_protocol respond all > > Renato Jop > > On Wed, Jun 29, 2016 at 8:21 AM, Renato Jop <renjop@xxxxxxxxx <mailto:renjop@xxxxxxxxx>> wrote: > > I've installed LibreSSL 2.2.9 and the issue still persists. > I think I am going to have install squid4 even if it's still in beta to solve this issues. > Thanks for your help. > > > Renato Jop > > On Mon, Jun 27, 2016 at 9:36 AM, Renato Jop <renjop@xxxxxxxxx <mailto:renjop@xxxxxxxxx>> wrote: > > Is there a way to verify that the SSL library doesn't support SSLv3? > > Renato Jop > > On Mon, Jun 27, 2016 at 8:43 AM, Yuri <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote: > > Looks like your SSL library does not contain SSLv3 protocol support already, but site announce it. > > > 27.06.2016 20:42, Renato Jop пишет: >> I removed the NO_SSLv2, NO_SSLv3 however, right before the SSL3_GET_RECORD:wrong version number the SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown. >> >> Renato Jop >> >> On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote: >> >> Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse software. I.e., you use custom ciphers/protocols combinations, which can lead issue. >> >> >> 27.06.2016 20:25, Renato Jop пишет: >>> Thank you both for your valuable help. >>> I've configured the tls-dh param with a strong Diffie-Hellman group (2048 bits) and configured the cipher as Yuri specified and I was able to get pass the unknown cipher, however now I get a "SSL routines:SSL3_GET_RECORD:wrong version number". Here's the configuration I changed: >>> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE tls-dh=/usr/local/etc/squid/dhparams.pem >>> >>> >>> >>> Renato Jop >>> >>> On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote: >>> >>> > > > 25.06.2016 <tel:25.06.2016> 23:09, Amos Jeffries пишет: > > On 26/06/2016 4:32 a.m., Yuri Voinov wrote: > >> > >> Amos, you are a wrong. > >> > >> No Squid-4. It's unstable and not ready for production. Whenever it's > >> features. > > > So some beta software has bugs therefore nobody should ever use it for > > anything. I find that to be a strange and sad view of the world. > > > Care to guess why I listed it as the last option amongst several? > > Or why 4.0.11 exists as a beta still? > > It *is* an option for the mentioned problem(s) though whatever its > utility. > Agreed. > > > > >> > >> Some time ago I have the same issue and know what happens exactly. > >> > >> Skype initial connection site uses RC4 cipher. Which is disabled in most > >> squid's configuration. > > > Your "know what happens exactly" differs from at least two other peoples > > debugging experiences with Skype. > > > RC4 is on the hitlist for most of the big vendors for the past year or > > so. IIRC there were several Windows Updates to remove it and other > > broken bits from a lot of things over the past year. > > If Skype is still using RC4 it might be part of this problem. > I'm sure this is problem and this problem exists. MS do nothing to make > they sites/services more secure. BTW, MS Updates uses RC4 ciphers itself > this time. With strong siphers there is no way to setup WU via Squid. > I've spent much time to identify this problem in my setup and find > working workaround. > > Another part of problem is: MS often uses it's own self-signed roots, > which is exists in Windows, but nowhere else. And which has not > cross-signed by well-known root CA's. They think it make MS services > more secure. They wrong. But we can't do anything with it. So, this is > forced us to add self-signed MS roots to our Squid's CA bundles to > bump/splice. > > > >> > >> To make it works (as by as most M$ update sites) it's require simple use > >> this cipher's suite: > >> > >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS > >> > >> That works for me in 5 SSL bumped setups. There is no matter which squid > >> version installed. > > > Thank you. Thats another option then. I'd rate that below trying the EC > > ciphers, and above library updates. > You are welcome. > > Just for information: MS has own IT infrastructure, with some strange > configured and non well-managed elements. I can't guarantee this > workaround will work everywhere or for every MS service. > > When I made my research, I've seen some strange security TLS > combinations on MS sites/services. I.e., for example, RC4+ECDSA+TLSv1.2. > Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and > potentially dangerous combinations. And - they support ignores all > requests. As usual. > > To my regret, I can not order all of its users to abandon the use of > Windows. So far, in my infrastructure have machines with Windows XP. > > With this nothing can be done, it is necessary only to weaken the > security - for the sake of compatibility. > > > > Amos > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > http://lists.squid-cache.org/listinfo/squid-users > >>> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >> >> > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXdAMLAAoJENNXIZxhPexG418IAMQwpVRq1iFSGRCVAA9mIcHc 1ru7T00FRr3wKNrm6hCaeI3TgW9eAMguYG7wYbFqbOOZMWp0k/sFYqAGWwxhZGA4 +lEB/P5/+PJbg89MSYvTPjRrmf0XYtgwwCuZD+7oC0VSmdldhhaXgJYTi+lfVKZQ p+P0X41y2Alfzjl2NqqJGN7Oyc35Av617YzsrjKN3MgSH6LDh+h7vhin75q/zXD8 TsRYAlqxsXAA5pvTbUrjVG7lruuavTGmKFpa79jZpkzlbkMEUW+088LeunkdP+V9 e2L6MlY6J10Jir3vwHFHYJJh4hbGYkJf4TdnZuV3itD937GebNOjqChMm8h7ER8= =ThrU -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
