Search squid archive

Re: Skype, SSL bump and go.trouter.io

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Steve,

There are couple options to the issue and a bad request can happen if squid transforms or modifies the request.
Did you tried to use basic debug sections output to verify if you are able to "replicate" the request using a tiny script or curl?
I think that section 11 is the right one to start with
(http://wiki.squid-cache.org/KnowledgeBase/DebugSections)
There were couple issues with intercepted https connections in the past but a 400 means that something is bad and mainly in the expected input and not a certificate but it is possible that other reasons are there.
I have not tried to use skype in a transparent environment for a very long time but I can try to test it later.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Steve Hill
Sent: Wednesday, July 6, 2016 5:47 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject:  Skype, SSL bump and go.trouter.io


I've been finding some problems with Skype when combined with TProxy and 
HTTPS interception and wondered if anyone had seen this before:

Skype works so long as HTTPS interception is not performed and traffic 
to TCP and UDP ports 1024-65535 is allowed directly out to the internet. 
  Enabling SSL-bump seems to break things - When making a call, Skype 
makes an SSL connection to go.trouter.io, which Squid successfully 
bumps.  Skype then makes a GET request to 
https://go.trouter.io/v3/c?auth=true&timeout=55 over the SSL connection, 
but the HTTPS server responds with a "400 Bad Request" error and Skype 
fails to work.

The Skype client clearly isn't rejecting the intercepted connection 
since it is making HTTPS requests over it, but I can't see why the 
server would be returning an error.  Obviously I can't see what's going 
on inside the connection when it isn't being bumped, but it does work 
then.  The only thing I can think is maybe the server is examining the 
SSL handshake and returning an error because it knows it isn't talking 
directly to the Skype client - but that seems like an odd way of doing 
things, rather than rejecting the SSL handshake in the first place.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve@xxxxxxxxxxxx
    Email:            steve@xxxxxxxxxxxx
    Phone:            sip:steve@xxxxxxxxxxxx

Sales / enquiries contacts:
    Email:            sales@xxxxxxxxxxxx
    Phone:            +44-1792-824568 / sip:sales@xxxxxxxxxxxx

Support contacts:
    Email:            support@xxxxxxxxxxxx
    Phone:            +44-1792-825748 / sip:support@xxxxxxxxxxxx
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux