Hi,
I've got an issue with squid stare and bump, hope someone can help!
I'm staring and bumping everything, using transparent proxy on Fedora
Core 24 using squid-3.5.20-1.fc24.x86_64 (see below for config). Now
the client (iphone app) does TLS v1.0 and has the following ciphers in
the Client Hello (from wireshark):
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_DES_CBC_SHA (0x0009)
What squid does is replicating all of them in the Client Hello to the
server. This in general goes without problems most of the time, but in
this case not. In the cases where it fails, squid logs an error:
2016/10/01 00:08:13 kid1| Error negotiating SSL on FD 26:
error:1409F07F:SSL routines:ssl3_write_pending:bad write retry
(1/-1/0)
I've also seen:
2016/10/02 20:53:09 kid1| Error negotiating SSL connection on FD 12:
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
(1/-1)
Squid then sends the following html to the client (http over https
port 443 - I had to get it out of my pcap):
--
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:1409F07F:SSL
routines:ssl3_write_pending:bad write retry
This proxy and the remote host failed to negotiate a mutually
acceptable security settings for handling your request. (..)
--
Now it would've been nicer if squid sent out that error over HTTPS,
but my main problem is the error happening in the first place.
I think it has something to do with the cipher. If I look at my pcaps
I can see the webserver is selecting 'TLS_RSA_WITH_3DES_EDE_CBC_SHA
(0x000a)' in the Server Hello. In openssl, this cipher is called
'DES-CBC3-SHA'. So if I try to reproduce on another client (linux),
only using one cipher in the client hello:
1) echo -e "GET / HTTP/1.1\nHost: $host\n\n" | openssl s_client
-cipher DES-CBC3-SHA -quiet -connect $host:443 2>/dev/null
2) echo -e "GET / HTTP/1.1\nHost: $host\n\n" | openssl s_client
-cipher AES256-SHA -quiet -connect $host:443 2>/dev/null
1 breaks like the iphone app. 2 works fine. I've looked on the host
squid is running on, but 1 works there as well. So the host running
squid seems to support the cipher, also according to openssl:
# openssl ciphers -V | grep "0x00,0x0A"
0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA
Enc=3DES(168) Mac=SHA1
Things that come to mind:
1) Why doesn't DES-CBC3-SHA work with squid ? The host seems to supports it.
2) Squid forwards the Client Hello, including ciphers the host running
squid doesn't support (in my case, the DES and RC4 ones). This could
also potentially lead to problems. Why doesn't squid filter them out
from the Client Hello sent from squid to the webserver ? Or replace
all of them with the ciphers preferred by squid. Perhaps by using the
sslproxy_cipher directive (which is currently ignored in ssl_bump
configurations).
3) Nice to have: Is it possible for squid to report errors to the user
over HTTPS instead of HTTP ?
My squid conf:
#####################################
http_port 3128 transparent
https_port 3129 transparent ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB
cert=/etc/pki/rootca/public+private.pem
http_port 3130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB
cert=/etc/pki/rootca/public+private.pem
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /export/logs/squid/access_log combined
cache_log /export/logs/squid/cache_log
coredump_dir /var/spool/squid
acl localhost src 127.0.0.1/32 ::1
acl localnet src 10.5.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
forwarded_for delete
cache deny all
always_direct allow all
ssl_bump stare all
ssl_bump bump all
#####################################
Thanks,
Marc
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
