Hello all, Brief version: Can't get ssl_bump working to get an old XP system's schannel.dll (i.e. built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has it's own SSL stack). Long version: This afternoon's task was to try and solve the issue of an old internal legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but needs to be able to speak to servers running TLS 1.2. I've tried several approaches, but using squid with ssl_bump seemed to be the most appropriate solution, but for the life of me, I've not been able to get it to work properly, so was hoping for a few pointers. The software that needs to run uses the built-in schannel dll, but it can have a proxy specified, so things don't have to be transparent, ...but it does get stuck with all the limitations of the ancient schannel dll. Does however mean I can use the system's IE for testing. First up, I'm running Debian on my squid server. That means the distro packages don't have ssl support compiled in, so I had to compile my own packages. The version is 3.5.23, and the relevant configure output is: I had to compile against the older version of openssl due to the changes in their locking API, so I installed https://packages.debian.org/stretch/libssl1.0-dev, which enabled me to compile successfully. I've looked at countless examples, i.e. http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit ...but the only way I've got any successful SSL proxying is with: ...but as expected, that's clearly not doing any bumping from the logs: When I put anything more in, i.e. Then it turns on the mode: ...but then I just get errors about no ciphers: I have a test site I'm using that I can fiddle with the ciphers on, and I can access it fine from the legacy system directly when I enable the old stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or maybe, decryption from the client?) that isn't working as it still won't connect regardless of what I try. Even if I throw in an explicit list of ciphers, copied from the target server (incidentally, the same host as squid, if that's relevant), still nada. Interestingly, ssl_bump seems to work perfectly fine from Firefox from the same machine, even when crippled down to TLS 1.0 only with the server set to restrict to TLS 1.2. So it seems to be doing what I want, just not for schannel.dll? I'm suspecting that openssl as used by squid can't speak any ciphers that schannel can, so it seems the issue isn't actually between squid and the target server, but between squid and the old client... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-issues-tp4681843.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
