Decided to fiddle with it one last time.... If i change my cipher entries from EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS to ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 I get content from dl.xda-developers.com just fine But i wont pretend i understand the cipher chain, or whether the change is a good thing On 2 March 2017 at 13:01, Adrian Miller <adrian.m.miller@xxxxxxxxx> wrote: > >That command you used does not send data through the proxy. So that > >confirms that the servers TLS is broken in a way unrelated to Squid. > > As that may be, when i go direct (sans proxy) i get thumbnails...no issues > Toggle the proxy back on and no thumbnails, and opening an image link > gives the > error initially reported. > > (71) Protocol error (TLS code: > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) > > SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA > > So both Ie and FF will just load anything from dl.xda-developers.com and > not > register an issue, but squid will refuse to load the content and generate > the error > > >You need to locate the root CA and/or intermediate CA certificates used > >to sign the domain servers certificate. > > >You then need to identify *why* they are not being trusted by your OS > >library. > > >Be sure to determine whether the CA which is missing is actually > >trustworthy before adding it to your trusted set. More than a few of the > >CA which are around are not trusted because they have been hacked or > >caught signing forged certificates they should not have. > > I aalways learn something when youre silly enough to reply :) > > When i ran dl.xda-developers.com through ssllabs (thanks google), it gave > me a less than glowing report, including > an incomplete cert chain (i say that like i understand it :) ) or as it > put it: > > This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) > <https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable> > and exploitable. Grade set to F. > This server is vulnerable to the OpenSSL Padding Oracle vulnerability > (CVE-2016-2107) > <https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/> > and insecure. Grade set to F. > This server accepts RC4 cipher, but only with older browsers. Grade capped > to B. MORE INFO » > <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> > This server's certificate chain is incomplete. Grade capped to B. > > Full report here for the curious: https://globalsign.ssllabs. > com/analyze.html?d=dl.xda-developers.com&hideResults=on > > For a few thumbnails im not going to torture myself, maybe ill send the > forum admin a note instead :) > > >PS. EECDH will not work unless you configure a curve name in the > >tls-dh= option. Just having dhparam.pem alone will only enable the less > >secure DH ciphers. > > I did add a curve to the tls-dh param, im guessing tis correct, little > info on which one to use (grabbing the list from my local openssl had me > going what the hell) > > tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem > > Note: this made no difference whatsoever with my issue > > Cheers, > > Adrian Miller > > > > On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller@xxxxxxxxx> wrote: > >> Thanks Amos for the info, appreciate your tireless assistance for us >> numpties :) >> >> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" < >> ml-node+s1019090n4681642h47@xxxxxxxxxxxxx> wrote: >> >>> On 1/03/2017 4:58 a.m., stylemessiah wrote: >>> >>> > This is driving me nuts, its the only issue ive found running ssl bump >>> on my >>> > home network for eons >>> > >>> > I cant see image thumbnails on xda-developers... >>> > >>> > When i access a thread with them, i get text links, not thumbnails, >>> and if i >>> > click on the links i get the following: >>> > >>> > >>> > (71) Protocol error (TLS code: >>> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) >>> > >>> > SSL Certficate error: certificate issuer (CA) not known: >>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA >>> > >>> > I figured out by googling how to (i hope) trace the problem >>> certificate via >>> > s_client: >>> > >>> > >>> > OpenSSL> s_client -showcerts -verify 32 -connect >>> dl.xda-developers.com:443 >>> > verify depth is 32 >>> > CONNECTED(0000012C) >>> > depth=0 CN = *.xda-developers.com >>> > verify error:num=20:unable to get local issuer certificate >>> > verify return:1 >>> > depth=0 CN = *.xda-developers.com >>> > verify error:num=21:unable to verify the first certificate >>> > verify return:1 >>> >>> That command you used does not send data through the proxy. So that >>> confirms that the servers TLS is broken in a way unrelated to Squid. >>> >>> >>> >>> > --- >>> > Certificate chain >>> > 0 s:/CN=*.xda-developers.com >>> > i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA >>> ... >>> >>> > --- >>> > Server certificate >>> > subject=/CN=*.xda-developers.com >>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA >>> > --- >>> > No client certificate CA names sent >>> > Peer signing digest: SHA512 >>> > Server Temp Key: ECDH, P-256, 256 bits >>> > --- >>> > SSL handshake has read 2067 bytes and written 302 bytes >>> > Verification error: unable to verify the first certificate >>> >>> > >>> > Ive found the intermediate bundle from RapidSS, and added it to my >>> existing >>> > pem bundle...no change >>> >>> You need to locate the root CA and/or intermediate CA certificates used >>> to sign the domain servers certificate. >>> >>> You then need to identify *why* they are not being trusted by your OS >>> library. >>> >>> Be sure to determine whether the CA which is missing is actually >>> trustworthy before adding it to your trusted set. More than a few of the >>> CA which are around are not trusted because they have been hacked or >>> caught signing forged certificates they should not have. >>> >>> >>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs >>> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change >>> > >>> > My sslbump related config lines are: >>> > >>> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on >>> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem >>> >>> > capath=/cygdrive/e/Squid/etc/ssl >>> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem >>> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem >>> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE >>> >>> PS. EECDH will not work unless you configure a curve name in the >>> tls-dh= option. Just having dhparam.pem alone will only enable the less >>> secure DH ciphers. >>> >>> Amos >>> >>> _______________________________________________ >>> squid-users mailing list >>> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0> >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >>> ------------------------------ >>> If you reply to this email, your message will be added to the discussion >>> below: >>> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump- >>> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html >>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL >>> Intermediate Cert, click here >>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=> >>> . >>> NAML >>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >>> >> > > > -- > I hate to advocate *drugs*, *alcohol*,* violence *or > *insanity* to anyone, *but* they've *always* worked for* me* > > - Hunter S. Thompson > -- I hate to advocate *drugs*, *alcohol*,* violence *or *insanity* to anyone, *but* they've *always* worked for* me* - Hunter S. Thompson -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681647.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
