-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Hardening 03.10.2016 23:50, Marc пишет: > Hi, > > I've got an issue with squid stare and bump, hope someone can help! > > I'm staring and bumping everything, using transparent proxy on Fedora > Core 24 using squid-3.5.20-1.fc24.x86_64 (see below for config). Now > the client (iphone app) does TLS v1.0 and has the following ciphers in > the Client Hello (from wireshark): > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) > TLS_RSA_WITH_RC4_128_SHA (0x0005) > TLS_RSA_WITH_RC4_128_MD5 (0x0004) > TLS_RSA_WITH_DES_CBC_SHA (0x0009) > > What squid does is replicating all of them in the Client Hello to the > server. This in general goes without problems most of the time, but in > this case not. In the cases where it fails, squid logs an error: > 2016/10/01 00:08:13 kid1| Error negotiating SSL on FD 26: > error:1409F07F:SSL routines:ssl3_write_pending:bad write retry > (1/-1/0) > I've also seen: > 2016/10/02 20:53:09 kid1| Error negotiating SSL connection on FD 12: > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher > (1/-1) > > Squid then sends the following html to the client (http over https > port 443 - I had to get it out of my pcap): > > -- > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > Handshake with SSL server failed: error:1409F07F:SSL > routines:ssl3_write_pending:bad write retry > This proxy and the remote host failed to negotiate a mutually > acceptable security settings for handling your request. (..) > -- > Now it would've been nicer if squid sent out that error over HTTPS, > but my main problem is the error happening in the first place. > > I think it has something to do with the cipher. If I look at my pcaps > I can see the webserver is selecting 'TLS_RSA_WITH_3DES_EDE_CBC_SHA > (0x000a)' in the Server Hello. In openssl, this cipher is called > 'DES-CBC3-SHA'. So if I try to reproduce on another client (linux), > only using one cipher in the client hello: > 1) echo -e "GET / HTTP/1.1\nHost: $host\n\n" | openssl s_client > -cipher DES-CBC3-SHA -quiet -connect $host:443 2>/dev/null > 2) echo -e "GET / HTTP/1.1\nHost: $host\n\n" | openssl s_client > -cipher AES256-SHA -quiet -connect $host:443 2>/dev/null > > 1 breaks like the iphone app. 2 works fine. I've looked on the host > squid is running on, but 1 works there as well. So the host running > squid seems to support the cipher, also according to openssl: > # openssl ciphers -V | grep "0x00,0x0A" > 0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA > Enc=3DES(168) Mac=SHA1 > > Things that come to mind: > 1) Why doesn't DES-CBC3-SHA work with squid ? The host seems to supports it. > 2) Squid forwards the Client Hello, including ciphers the host running > squid doesn't support (in my case, the DES and RC4 ones). This could > also potentially lead to problems. Why doesn't squid filter them out > from the Client Hello sent from squid to the webserver ? Or replace > all of them with the ciphers preferred by squid. Perhaps by using the > sslproxy_cipher directive (which is currently ignored in ssl_bump > configurations). > 3) Nice to have: Is it possible for squid to report errors to the user > over HTTPS instead of HTTP ? > > My squid conf: > > ##################################### > http_port 3128 transparent > https_port 3129 transparent ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=100MB > cert=/etc/pki/rootca/public+private.pem > http_port 3130 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=100MB > cert=/etc/pki/rootca/public+private.pem > > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh > access_log /export/logs/squid/access_log combined > cache_log /export/logs/squid/cache_log > coredump_dir /var/spool/squid > > acl localhost src 127.0.0.1/32 ::1 > > acl localnet src 10.5.0.0/16 > acl localnet src fc00::/7 > acl localnet src fe80::/10 > > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 443 > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access deny all > > forwarded_for delete > cache deny all > always_direct allow all > > ssl_bump stare all > ssl_bump bump all > ##################################### > > Thanks, > > Marc > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX8p7XAAoJENNXIZxhPexG9c0H/0I1b0yyZdHTTsb9q3jj+Tsv Gggl5zd7xFy6lkV7Z7wtRdMOUrWzrSXGiVZz81uFbfizYf8rMZ4BJMDvGzhUFKN6 YJjLsqtBqaYRWbOqgWeXHngOIQKAeHbugOOcBMgNJ+bOhCSj0ZzkL1KdqZJpTR3b 0zSjwnRcsmmMk0Bdmck/ihRBrbRJ+rpOV3OX5h+viEO83UlIR3/Awz9FYd3oAg5Q WWXz9ugyFXzkHF9DABeTuckd9z0L0/eIercPdIPCgB/QkfF9nlyY7vm17ijNfare ehAPdP4+dH7jjZjg5KWICXL9ijMSL/eoR9gzbPuCDWqDYNzHAjVMrIH336nJeT8= =+epU -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
