Search squid archive

Re: Setting up a transparent http and https proxy server using squid 4.6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

After reading more information on this kind of error I captured a few transactions with Wireshark running on the raspberry pi hosting squid 4.6 and opensll 1.1.1d. I captured some transactions when trying to access ebay.fr which is currently not successful with the setup I have with the error of inappropriate fallback mentioned below.

I am not familiar with TLS transactions so I will try to present a high level view of the transactions between the raspberry pi and the ebay.fr server. I hope you can guide me as to what I should focus on to understand, if possible, the issue I have.

A bird's eye view of the transactions from Wireshark over time is :

     23 0.175795327    192.168.1.32          192.168.1.1           DNS      71     Standard query 0x057e A www.ebay.fr
     24 0.214678299    192.168.1.1           192.168.1.32          DNS      165    Standard query response 0x057e A www.ebay.fr CNAME slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A 23.57.6.166
     25 0.301067317    192.168.1.32          23.57.6.166           TCP      74     53934 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186690 TSecr=0 WS=128
     26 0.302488046    192.168.1.32          23.57.6.166           TCP      74     53936 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186691 TSecr=0 WS=128
     27 0.328959454    23.57.6.166           192.168.1.32          TCP      74     443 → 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404062 TSecr=365186690 WS=128
     28 0.329115340    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718 TSecr=3470404062
     29 0.329752684    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     30 0.330530288    23.57.6.166           192.168.1.32          TCP      74     443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404064 TSecr=365186691 WS=128
     31 0.330644819    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719 TSecr=3470404064
     32 0.331192579    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     35 0.351054404    192.168.1.32          192.168.1.98          TCP      54     5900 → 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0
     36 0.363323884    23.57.6.166           192.168.1.32          TCP      66     443 → 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096 TSecr=365186719
     37 0.364291801    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     38 0.364347270    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186753 TSecr=3470404096
     39 0.365482999    23.57.6.166           192.168.1.32          TCP      1514   443 → 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
     40 0.365535030    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186754 TSecr=3470404096
     41 0.366217999    23.57.6.166           192.168.1.32          TCP      1266   443 → 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
     42 0.366279041    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186755 TSecr=3470404096
     43 0.366321697    23.57.6.166           192.168.1.32          TCP      74     [TCP Retransmission] 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128
     44 0.366410135    192.168.1.32          23.57.6.166           TCP      66     [TCP Dup ACK 31#1] 53936 → 443 [ACK] Seq=518 Ack=1 Win=64256 Len=0 TSval=365186755 TSecr=3470404064
     45 0.366709770    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     46 0.366754978    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186756 TSecr=3470404097
     47 0.369138676    23.57.6.166           192.168.1.32          TCP      66     443 → 53936 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404102 TSecr=365186720
     48 0.370432739    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     49 0.370506906    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186759 TSecr=3470404102
     50 0.371401125    23.57.6.166           192.168.1.32          TCP      1514   443 → 53936 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
     51 0.371449250    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186760 TSecr=3470404102
     52 0.372385968    23.57.6.166           192.168.1.32          TCP      1266   443 → 53936 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
     53 0.372438156    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186761 TSecr=3470404102
     54 0.372859562    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     55 0.372905395    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186762 TSecr=3470404103
     56 0.374064614    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186763 TSecr=3470404097
     57 0.382856646    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186772 TSecr=3470404103
     58 0.387044251    192.168.1.32          23.57.6.166           TCP      74     53938 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186776 TSecr=0 WS=128
     59 0.401877325    192.168.1.32          23.57.6.166           TCP      74     53940 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186791 TSecr=0 WS=128
     60 0.402472117    23.57.6.166           192.168.1.32          TCP      66     443 → 53934 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 TSval=3470404136 TSecr=365186763
     61 0.402574981    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0 TSval=365186791 TSecr=3470404136
     62 0.410122326    23.57.6.166           192.168.1.32          TCP      66     443 → 53936 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 TSval=3470404143 TSecr=365186772
     63 0.410185971    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0 TSval=365186799 TSecr=3470404143
     64 0.415533941    23.57.6.166           192.168.1.32          TCP      74     443 → 53938 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404148 TSecr=365186776 WS=128
     65 0.415615607    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186804 TSecr=3470404148
     66 0.416199514    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     67 0.429629098    23.57.6.166           192.168.1.32          TCP      74     443 → 53940 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404163 TSecr=365186791 WS=128
     68 0.429722796    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186819 TSecr=3470404163
     69 0.430195036    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     70 0.449937225    23.57.6.166           192.168.1.32          TCP      66     443 → 53938 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404182 TSecr=365186805
     71 0.451000037    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     72 0.451064100    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186840 TSecr=3470404183
     73 0.451980194    23.57.6.166           192.168.1.32          TCP      1514   443 → 53938 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
     74 0.452031756    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186841 TSecr=3470404183
     75 0.452935767    23.57.6.166           192.168.1.32          TCP      1266   443 → 53938 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
     76 0.452991027    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186842 TSecr=3470404183
     77 0.453443475    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     78 0.453498215    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186842 TSecr=3470404184
     79 0.461625715    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186850 TSecr=3470404184
     80 0.463463320    23.57.6.166           192.168.1.32          TCP      66     443 → 53940 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404196 TSecr=365186819
     81 0.464344413    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     82 0.464433476    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186853 TSecr=3470404197
     83 0.465538632    23.57.6.166           192.168.1.32          TCP      1514   443 → 53940 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
     84 0.465628789    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186854 TSecr=3470404197
     85 0.466298945    23.57.6.166           192.168.1.32          TCP      1266   443 → 53940 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
     86 0.466437851    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186855 TSecr=3470404197
     87 0.467042591    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     88 0.467190976    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186856 TSecr=3470404197

I start my description with a Client Hello step from the raspberry pi to the ebay.fr server :

No.     Time           Source                Destination           Protocol Length Info
     29 0.329752684    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello

...

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)

Then, there is another Client Hello step which seems quite similar to the previous one :

No.     Time           Source                Destination           Protocol Length Info
     32 0.331192579    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello

...

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)

Then a Server Hello :

No.     Time           Source                Destination           Protocol Length Info
     37 0.364291801    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello

...

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 78
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 74
            Version: TLS 1.2 (0x0303)

            Random: 08f25b54bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
                GMT Unix Time: Oct  4, 1974 08:40:20.000000000 Paris, Madrid (heure d’été)
                Random Bytes: bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

...

So it seems the server found a common cipher with the client. I am not sure then what to look for. Frames 43 and 44 are detected by Wireshark as retransmissions but I am not sure it is a problem.

I noticed frame 45 which is about the Certificate, Certificate Status, Server Key Exchange and Server Hello Done

No.     Time           Source                Destination           Protocol Length Info
     45 0.366709770    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4102
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
     ...
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Certificate Status
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 479
        Handshake Protocol: Certificate Status
            Handshake Type: Certificate Status (22)
            Length: 475
            Certificate Status Type: OCSP (1)
            OCSP Response Length: 471
            OCSP Response
...
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 333
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 329
            EC Diffie-Hellman Server Params
...
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

...

I noticed there is a mention of Diffie-Hellman which may require some attention but I am not sure.

I am sorry for all this information but I really look forward to knowing more and managing to sort this issue out. Is there anything in this information that is relevant to understanding the issue I have ? Where should I focus ?

Best regards,

JF

Le 02/01/2021 à 11:26, jean francois hasson a écrit :

Hi,

Thank you Amos Jeffries and Antony Stone. It seems the configuration I have provides the functionality of filtering I am looking for.

There is a strange behavior I can see when accessing some legitimate sites which I see traces of in cache.log :

2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD 38: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD 35: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:57:40 kid1| Starting new redirector helpers...
2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)

I noticed other users of squid encountered similar issues but I did not find a clear answer to the issue. Is there a problem with my setup ? I am not sure to be able to solve it on my own ! Any help would be appreciated.

Best regards,

JF Hasson

Le 31/12/2020 à 10:14, Antony Stone a écrit :
On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:

If I set up on a device connected to the access point a proxy manually
ie 10.3.141.1 on port 8080, I can access the internet. If I put the
following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
Try removing the DNAT rules above.  You should be using REDIRECT for intercept 
mode to work correctly.


Antony.


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux