3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau-3

Hi,
I'm unable to access to https://www.boutique.afnor.org website.
I would like to know if this issue cannot be fixed and must deny bump
website to fix it.
Without Squid the website is correctly displayed

Squid claim an error page with "(71) Protocol error (TLS code:
SQUID_ERR_SSL_HANDSHAKE)"

In cache.log: "Error negotiating SSL on FD 17:
error:00000000:lib(0):func(0):reason(0) (5/0/0)"

Using the following configuration:

http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M
8MB
sslcrtd_children 16 startup=5 idle=1
acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice FakeCert
ssl_bump bump ssl_step2 all
ssl_bump splice all

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL
:!eNULL
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all



Openssl info
----------------------------------------------------------------------------
----------------------------------------------------------------------------
---

openssl s_client -connect 195.115.26.58:443 -showcerts

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public
Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN
= www.boutique.afnor.org
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
NORMALISATION/OU=ASSOCIATION FRANCAISE DE
NORMALISATION/CN=www.boutique.afnor.org
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
../..
-----END CERTIFICATE-----
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
-----BEGIN CERTIFICATE-----
../..
-----END CERTIFICATE-----
---
Server certificate
subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
NORMALISATION/OU=ASSOCIATION FRANCAISE DE
NORMALISATION/CN=www.boutique.afnor.org
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3105 bytes and written 616 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
    Session-ID-ctx:
    Master-Key:
D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5
D6B5955DD8DF06608416
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1493311275
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Olly Lennox
Hi David,

I'm battling with similar problems at the moment. One thing that I've found is that the system seems happier when you don't peek prior to a bump, my current config is:

acl nobumpserver ssl::server_name "/etc/squid/nobump"
acl ignoreclients src "/etc/squid/nobumpclients"
acl step1 at_step SslBump1

ssl_bump peek nobumpserver step1
ssl_bump peek ignoreclients step1
ssl_bump splice nobumpserver
ssl_bump splice ignoreclients

ssl_bump stare step1 !nobumpserver !ignoreclients

ssl_bump bump !nobumpserver !ignoreclients

where nobump is a list of regex domains (like .apple.com) and nobumpclients is a list of IPs I never want to bump. I'm still battling with errors and sites not always working but of all the configurations I've tried this one seems to work for the majority of sites

Cheers,
[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: David Touzeau <[hidden email]>
To: [hidden email]
Sent: Thursday, 27 April 2017, 17:48
Subject: [squid-users] 3.5.25: (71) Protocol error (TLS code:    SQUID_ERR_SSL_HANDSHAKE)




Hi,

I'm unable to access to https://www.boutique.afnor.org website.

I would like to know if this issue cannot be fixed and must deny bump

website to fix it.

Without Squid the website is correctly displayed


Squid claim an error page with "(71) Protocol error (TLS code:

SQUID_ERR_SSL_HANDSHAKE)"


In cache.log: "Error negotiating SSL on FD 17:

error:00000000:lib(0):func(0):reason(0) (5/0/0)"


Using the following configuration:


http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn

sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem

sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M

8MB

sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com

acl FakeCert ssl::server_name .icloud.com

acl FakeCert ssl::server_name .mzstatic.com

acl FakeCert ssl::server_name .dropbox.com

acl ssl_step1 at_step SslBump1

acl ssl_step2 at_step SslBump2

acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1

ssl_bump splice FakeCert

ssl_bump bump ssl_step2 all

ssl_bump splice all


sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression

sslproxy_cipher

ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL

:!eNULL

sslproxy_flags DONT_VERIFY_PEER

sslproxy_cert_error allow all




Openssl info

----------------------------------------------------------------------------

----------------------------------------------------------------------------

---


openssl s_client -connect 195.115.26.58:443 -showcerts


CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)

2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public

Primary Certification Authority - G5

verify return:1

depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =

Symantec Class 3 Secure Server CA - G4

verify return:1

depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION

FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN

= www.boutique.afnor.org

verify return:1

---

Certificate chain

0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE

NORMALISATION/OU=ASSOCIATION FRANCAISE DE

NORMALISATION/CN=www.boutique.afnor.org

   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec

Class 3 Secure Server CA - G4

-----BEGIN CERTIFICATE-----

../..

-----END CERTIFICATE-----

1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec

Class 3 Secure Server CA - G4

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,

Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary

Certification Authority - G5

-----BEGIN CERTIFICATE-----

../..

-----END CERTIFICATE-----

---

Server certificate

subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE

NORMALISATION/OU=ASSOCIATION FRANCAISE DE

NORMALISATION/CN=www.boutique.afnor.org

issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec

Class 3 Secure Server CA - G4

---

No client certificate CA names sent

---

SSL handshake has read 3105 bytes and written 616 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID:

833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D

    Session-ID-ctx:

    Master-Key:

D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5

D6B5955DD8DF06608416

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1493311275

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

read:errno=0




_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Yuri Voinov
In reply to this post by David Touzeau-3
This one?

http://i.imgur.com/kI9SxiN.png

It's works under bump.


27.04.2017 22:47, David Touzeau пишет:

> Hi,
> I'm unable to access to https://www.boutique.afnor.org website.
> I would like to know if this issue cannot be fixed and must deny bump
> website to fix it.
> Without Squid the website is correctly displayed
>
> Squid claim an error page with "(71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)"
>
> In cache.log: "Error negotiating SSL on FD 17:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>
> Using the following configuration:
>
> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
What's is this? Which certificate?

> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
> sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M
> 8MB
> sslcrtd_children 16 startup=5 idle=1
> acl FakeCert ssl::server_name .apple.com
> acl FakeCert ssl::server_name .icloud.com
> acl FakeCert ssl::server_name .mzstatic.com
> acl FakeCert ssl::server_name .dropbox.com
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump peek ssl_step1
> ssl_bump splice FakeCert
> ssl_bump bump ssl_step2 all
> ssl_bump splice all
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
> sslproxy_cipher
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL
> :!eNULL
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
>
>
> Openssl info
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> ---
>
> openssl s_client -connect 195.115.26.58:443 -showcerts
>
> CONNECTED(00000003)
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)
> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public
> Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
> Symantec Class 3 Secure Server CA - G4
> verify return:1
> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN
> = www.boutique.afnor.org
> verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
> -----BEGIN CERTIFICATE-----
> ../..
> -----END CERTIFICATE-----
>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> -----BEGIN CERTIFICATE-----
> ../..
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3105 bytes and written 616 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES128-SHA
>     Session-ID:
> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>     Session-ID-ctx:
>     Master-Key:
> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5
> D6B5955DD8DF06608416
>     Key-Arg   : None

>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1493311275
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> read:errno=0
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Yuri Voinov
In reply to this post by David Touzeau-3
Look. It can be intermediate certificates issue.

Does Squid have Symantec intermediate certificates?


27.04.2017 22:47, David Touzeau пишет:

> Hi,
> I'm unable to access to https://www.boutique.afnor.org website.
> I would like to know if this issue cannot be fixed and must deny bump
> website to fix it.
> Without Squid the website is correctly displayed
>
> Squid claim an error page with "(71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)"
>
> In cache.log: "Error negotiating SSL on FD 17:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>
> Using the following configuration:
>
> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
> sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M
> 8MB
> sslcrtd_children 16 startup=5 idle=1
> acl FakeCert ssl::server_name .apple.com
> acl FakeCert ssl::server_name .icloud.com
> acl FakeCert ssl::server_name .mzstatic.com
> acl FakeCert ssl::server_name .dropbox.com
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump peek ssl_step1
> ssl_bump splice FakeCert
> ssl_bump bump ssl_step2 all
> ssl_bump splice all
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
> sslproxy_cipher
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL
> :!eNULL
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
>
>
> Openssl info
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> ---
>
> openssl s_client -connect 195.115.26.58:443 -showcerts
>
> CONNECTED(00000003)
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)
> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public
> Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
> Symantec Class 3 Secure Server CA - G4
> verify return:1
> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN
> = www.boutique.afnor.org
> verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
> -----BEGIN CERTIFICATE-----
> ../..
> -----END CERTIFICATE-----
>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> -----BEGIN CERTIFICATE-----
> ../..
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3105 bytes and written 616 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES128-SHA
>     Session-ID:
> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>     Session-ID-ctx:
>     Master-Key:
> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080AA94F5
> D6B5955DD8DF06608416
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1493311275
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> read:errno=0
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau-3
Hi yuri

I did not know if squid have Symantec intermediate certificate
Squid is installed as default...
Any howto ?


-----Message d'origine-----
De : squid-users [mailto:[hidden email]] De la part de Yuri Voinov
Envoyé : jeudi 27 avril 2017 22:09
À : [hidden email]
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Look. It can be intermediate certificates issue.

Does Squid have Symantec intermediate certificates?


27.04.2017 22:47, David Touzeau пишет:

> Hi,
> I'm unable to access to https://www.boutique.afnor.org website.
> I would like to know if this issue cannot be fixed and must deny bump
> website to fix it.
> Without Squid the website is correctly displayed
>
> Squid claim an error page with "(71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)"
>
> In cache.log: "Error negotiating SSL on FD 17:
> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>
> Using the following configuration:
>
> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
> sslcrtd_program /lib/squid3/ssl_crtd -s
> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5
> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
> ssl::server_name .icloud.com acl FakeCert ssl::server_name
> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1
> at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step
> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
> bump ssl_step2 all ssl_bump splice all
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
> !aNULL
> :!eNULL
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
>
>
> Openssl info
> ----------------------------------------------------------------------
> ------
> ----------------------------------------------------------------------
> ------
> ---
>
> openssl s_client -connect 195.115.26.58:443 -showcerts
>
> CONNECTED(00000003)
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
> = "(c)
> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5 verify return:1
> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network,
> CN = Symantec Class 3 Secure Server CA - G4 verify return:1
> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE
> NORMALISATION, CN = www.boutique.afnor.org verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
> CERTIFICATE----- ../..
> -----END CERTIFICATE-----
>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec Class 3 Secure Server CA - G4
>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
> NORMALISATION/CN=www.boutique.afnor.org
> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec Class 3 Secure Server CA - G4
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3105 bytes and written 616 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES128-SHA
>     Session-ID:
> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>     Session-ID-ctx:
>     Master-Key:
> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080
> AA94F5
> D6B5955DD8DF06608416
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1493311275
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> read:errno=0
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Yuri Voinov
Squid can't have any intermediate certificates. As by as root CA's.

You can use this:

#  TAG: sslproxy_foreign_intermediate_certs
#    Many origin servers fail to send their full server certificate
#    chain for verification, assuming the client already has or can
#    easily locate any missing intermediate certificates.
#
#    Squid uses the certificates from the specified file to fill in
#    these missing chains when trying to validate origin server
#    certificate chains.
#
#    The file is expected to contain zero or more PEM-encoded
#    intermediate certificates. These certificates are not treated
#    as trusted root certificates, and any self-signed certificate in
#    this file will be ignored.
#Default:
# none

However, you should identiry and collect them by yourself.

The biggest problem:

Instead of root CA's, which can be taken from Mozilla's, intermediate
CAs spreaded over CA's providers, have much shorter valid period (most
cases up to 5-7 years) and, by this reason, should be continiously
maintained by proxy admin.

Also, remove this:

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all

From your config. Don't. Never. This is completely disable ANY security checks for certificates, which leads to giant vulnerability to your users.
ssl_proxy_cert_error should be restricted by very specific ACL(s) in your config only for number of sites you trust.

28.04.2017 2:27, David Touzeau пишет:

> Hi yuri
>
> I did not know if squid have Symantec intermediate certificate
> Squid is installed as default...
> Any howto ?
>
>
> -----Message d'origine-----
> De : squid-users [mailto:[hidden email]] De la part de Yuri Voinov
> Envoyé : jeudi 27 avril 2017 22:09
> À : [hidden email]
> Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Look. It can be intermediate certificates issue.
>
> Does Squid have Symantec intermediate certificates?
>
>
> 27.04.2017 22:47, David Touzeau пишет:
>> Hi,
>> I'm unable to access to https://www.boutique.afnor.org website.
>> I would like to know if this issue cannot be fixed and must deny bump
>> website to fix it.
>> Without Squid the website is correctly displayed
>>
>> Squid claim an error page with "(71) Protocol error (TLS code:
>> SQUID_ERR_SSL_HANDSHAKE)"
>>
>> In cache.log: "Error negotiating SSL on FD 17:
>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>
>> Using the following configuration:
>>
>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>> sslcrtd_program /lib/squid3/ssl_crtd -s
>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5
>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1
>> at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step
>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>> bump ssl_step2 all ssl_bump splice all
>>
>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>> !aNULL
>> :!eNULL
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>>
>>
>>
>> Openssl info
>> ----------------------------------------------------------------------
>> ------
>> ----------------------------------------------------------------------
>> ------
>> ---
>>
>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>
>> CONNECTED(00000003)
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
>> = "(c)
>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5 verify return:1
>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network,
>> CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
>> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE
>> NORMALISATION, CN = www.boutique.afnor.org verify return:1
>> ---
>> Certificate chain
>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
>> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>> NORMALISATION/CN=www.boutique.afnor.org
>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>> CERTIFICATE----- ../..
>> -----END CERTIFICATE-----
>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>> NORMALISATION/CN=www.boutique.afnor.org
>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 3105 bytes and written 616 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>     Session-ID-ctx:
>>     Master-Key:
>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5080
>> AA94F5
>> D6B5955DD8DF06608416
>>     Key-Arg   : None
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     Start Time: 1493311275
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>> read:errno=0
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
> --
> Bugs to the Future
>
--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau-3
Thanks Yuri

 ! but i have still have the error " Error negotiating SSL on FD 13:
error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to site
( as i seen you can with your squid...??? )

Created a file /etc/squid3/cabundle.pem

Added Symantec certificates available here:
https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2047

add

sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem

and perform a squid -k reconfigure

Missing something ???

Best regards

-----Message d'origine-----
De : Yuri Voinov [mailto:[hidden email]]
Envoyé : jeudi 27 avril 2017 22:52
À : David Touzeau <[hidden email]>; [hidden email]
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code:
SQUID_ERR_SSL_HANDSHAKE)

Squid can't have any intermediate certificates. As by as root CA's.

You can use this:

#  TAG: sslproxy_foreign_intermediate_certs
#    Many origin servers fail to send their full server certificate
#    chain for verification, assuming the client already has or can
#    easily locate any missing intermediate certificates.
#
#    Squid uses the certificates from the specified file to fill in
#    these missing chains when trying to validate origin server
#    certificate chains.
#
#    The file is expected to contain zero or more PEM-encoded
#    intermediate certificates. These certificates are not treated
#    as trusted root certificates, and any self-signed certificate in
#    this file will be ignored.
#Default:
# none

However, you should identiry and collect them by yourself.

The biggest problem:

Instead of root CA's, which can be taken from Mozilla's, intermediate CAs
spreaded over CA's providers, have much shorter valid period (most cases up
to 5-7 years) and, by this reason, should be continiously maintained by
proxy admin.

Also, remove this:

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all

From your config. Don't. Never. This is completely disable ANY security
checks for certificates, which leads to giant vulnerability to your users.
ssl_proxy_cert_error should be restricted by very specific ACL(s) in your
config only for number of sites you trust.

28.04.2017 2:27, David Touzeau пишет:

> Hi yuri
>
> I did not know if squid have Symantec intermediate certificate Squid
> is installed as default...
> Any howto ?
>
>
> -----Message d'origine-----
> De : squid-users [mailto:[hidden email]] De
> la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
> [hidden email] Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Look. It can be intermediate certificates issue.
>
> Does Squid have Symantec intermediate certificates?
>
>
> 27.04.2017 22:47, David Touzeau пишет:
>> Hi,
>> I'm unable to access to https://www.boutique.afnor.org website.
>> I would like to know if this issue cannot be fixed and must deny bump
>> website to fix it.
>> Without Squid the website is correctly displayed
>>
>> Squid claim an error page with "(71) Protocol error (TLS code:
>> SQUID_ERR_SSL_HANDSHAKE)"
>>
>> In cache.log: "Error negotiating SSL on FD 17:
>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>
>> Using the following configuration:
>>
>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>> sslcrtd_program /lib/squid3/ssl_crtd -s
>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>> startup=5
>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>> ssl_step3 at_step
>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>> bump ssl_step2 all ssl_bump splice all
>>
>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>> !aNULL
>> :!eNULL
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>>
>>
>>
>> Openssl info
>> ---------------------------------------------------------------------
>> -
>> ------
>> ---------------------------------------------------------------------
>> -
>> ------
>> ---
>>
>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>
>> CONNECTED(00000003)
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
>> = "(c)
>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5 verify return:1
>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
>> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE
>> NORMALISATION, CN = www.boutique.afnor.org verify return:1
>> ---
>> Certificate chain
>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
>> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>> NORMALISATION/CN=www.boutique.afnor.org
>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>> CERTIFICATE----- ../..
>> -----END CERTIFICATE-----
>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>> NORMALISATION/CN=www.boutique.afnor.org
>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec Class 3 Secure Server CA - G4
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 3105 bytes and written 616 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>     Session-ID-ctx:
>>     Master-Key:
>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F508
>> 0
>> AA94F5
>> D6B5955DD8DF06608416
>>     Key-Arg   : None
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     Start Time: 1493311275
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>> read:errno=0
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
> --
> Bugs to the Future
>

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Yuri Voinov
Be careful with intermediate CA's you grabbed. Check they validity,
fingerprints and attributes.

Proxying SSL requires much more work with Squid.


28.04.2017 3:12, David Touzeau пишет:
> Thanks Yuri
>
>  ! but i have still have the error " Error negotiating SSL on FD 13:
> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to site
> ( as i seen you can with your squid...??? )
Yes. With two different versions.

>
> Created a file /etc/squid3/cabundle.pem
>
> Added Symantec certificates available here:
> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=INFO2047
>
> add
>
> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>
> and perform a squid -k reconfigure
>
> Missing something ???
May be. I'm recommend to re-initialize mimic certificates DB also and
restart Squid, not reconfigure.

Keep in mind, that SSL bump critical important for success. For example,
AFAIK stare often opposite to bump (in most cases). Read wiki article,
but also remember this functionality still evolving, and can changed
without notices. So, experiment.

>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:[hidden email]]
> Envoyé : jeudi 27 avril 2017 22:52
> À : David Touzeau <[hidden email]>; [hidden email]
> Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)
>
> Squid can't have any intermediate certificates. As by as root CA's.
>
> You can use this:
>
> #  TAG: sslproxy_foreign_intermediate_certs
> #    Many origin servers fail to send their full server certificate
> #    chain for verification, assuming the client already has or can
> #    easily locate any missing intermediate certificates.
> #
> #    Squid uses the certificates from the specified file to fill in
> #    these missing chains when trying to validate origin server
> #    certificate chains.
> #
> #    The file is expected to contain zero or more PEM-encoded
> #    intermediate certificates. These certificates are not treated
> #    as trusted root certificates, and any self-signed certificate in
> #    this file will be ignored.
> #Default:
> # none
>
> However, you should identiry and collect them by yourself.
>
> The biggest problem:
>
> Instead of root CA's, which can be taken from Mozilla's, intermediate CAs
> spreaded over CA's providers, have much shorter valid period (most cases up
> to 5-7 years) and, by this reason, should be continiously maintained by
> proxy admin.
>
> Also, remove this:
>
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
> From your config. Don't. Never. This is completely disable ANY security
> checks for certificates, which leads to giant vulnerability to your users.
> ssl_proxy_cert_error should be restricted by very specific ACL(s) in your
> config only for number of sites you trust.
>
> 28.04.2017 2:27, David Touzeau пишет:
>> Hi yuri
>>
>> I did not know if squid have Symantec intermediate certificate Squid
>> is installed as default...
>> Any howto ?
>>
>>
>> -----Message d'origine-----
>> De : squid-users [mailto:[hidden email]] De
>> la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>
>> Look. It can be intermediate certificates issue.
>>
>> Does Squid have Symantec intermediate certificates?
>>
>>
>> 27.04.2017 22:47, David Touzeau пишет:
>>> Hi,
>>> I'm unable to access to https://www.boutique.afnor.org website.
>>> I would like to know if this issue cannot be fixed and must deny bump
>>> website to fix it.
>>> Without Squid the website is correctly displayed
>>>
>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>
>>> In cache.log: "Error negotiating SSL on FD 17:
>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>
>>> Using the following configuration:
>>>
>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>>> sslcrtd_program /lib/squid3/ssl_crtd -s
>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>> startup=5
>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>> ssl_step3 at_step
>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>>> bump ssl_step2 all ssl_bump splice all
>>>
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>> !aNULL
>>> :!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>>
>>>
>>>
>>> Openssl info
>>> ---------------------------------------------------------------------
>>> -
>>> ------
>>> ---------------------------------------------------------------------
>>> -
>>> ------
>>> ---
>>>
>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU
>>> = "(c)
>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>>> Public Primary Certification Authority - G5 verify return:1
>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
>>> FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE
>>> NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>> CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 3105 bytes and written 616 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : AES128-SHA
>>>     Session-ID:
>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F508
>>> 0
>>> AA94F5
>>> D6B5955DD8DF06608416
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     Start Time: 1493311275
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 0 (ok)
>>> ---
>>> read:errno=0
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>
--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau-3
I'm fighting to find the correct certificate chain for this website:
https://www.boutique.afnor.org

I have also added all certificates included in this package:
https://packages.debian.org/fr/sid/ca-certificates


Do you have any tips to help ?

Best regards

-----Message d'origine-----
De : Yuri Voinov [mailto:[hidden email]]
Envoyé : jeudi 27 avril 2017 23:26
À : David Touzeau <[hidden email]>; [hidden email]
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Be careful with intermediate CA's you grabbed. Check they validity, fingerprints and attributes.

Proxying SSL requires much more work with Squid.


28.04.2017 3:12, David Touzeau пишет:
> Thanks Yuri
>
>  ! but i have still have the error " Error negotiating SSL on FD 13:
> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to
> site ( as i seen you can with your squid...??? )
Yes. With two different versions.

>
> Created a file /etc/squid3/cabundle.pem
>
> Added Symantec certificates available here:
> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id
> =INFO2047
>
> add
>
> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>
> and perform a squid -k reconfigure
>
> Missing something ???
May be. I'm recommend to re-initialize mimic certificates DB also and restart Squid, not reconfigure.

Keep in mind, that SSL bump critical important for success. For example, AFAIK stare often opposite to bump (in most cases). Read wiki article, but also remember this functionality still evolving, and can changed without notices. So, experiment.

>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril
> 2017 22:52 À : David Touzeau <[hidden email]>;
> [hidden email] Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)
>
> Squid can't have any intermediate certificates. As by as root CA's.
>
> You can use this:
>
> #  TAG: sslproxy_foreign_intermediate_certs
> #    Many origin servers fail to send their full server certificate
> #    chain for verification, assuming the client already has or can
> #    easily locate any missing intermediate certificates.
> #
> #    Squid uses the certificates from the specified file to fill in
> #    these missing chains when trying to validate origin server
> #    certificate chains.
> #
> #    The file is expected to contain zero or more PEM-encoded
> #    intermediate certificates. These certificates are not treated
> #    as trusted root certificates, and any self-signed certificate in
> #    this file will be ignored.
> #Default:
> # none
>
> However, you should identiry and collect them by yourself.
>
> The biggest problem:
>
> Instead of root CA's, which can be taken from Mozilla's, intermediate
> CAs spreaded over CA's providers, have much shorter valid period (most
> cases up to 5-7 years) and, by this reason, should be continiously
> maintained by proxy admin.
>
> Also, remove this:
>
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
> From your config. Don't. Never. This is completely disable ANY
> security checks for certificates, which leads to giant vulnerability to your users.
> ssl_proxy_cert_error should be restricted by very specific ACL(s) in
> your config only for number of sites you trust.
>
> 28.04.2017 2:27, David Touzeau пишет:
>> Hi yuri
>>
>> I did not know if squid have Symantec intermediate certificate Squid
>> is installed as default...
>> Any howto ?
>>
>>
>> -----Message d'origine-----
>> De : squid-users [mailto:[hidden email]]
>> De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>
>> Look. It can be intermediate certificates issue.
>>
>> Does Squid have Symantec intermediate certificates?
>>
>>
>> 27.04.2017 22:47, David Touzeau пишет:
>>> Hi,
>>> I'm unable to access to https://www.boutique.afnor.org website.
>>> I would like to know if this issue cannot be fixed and must deny
>>> bump website to fix it.
>>> Without Squid the website is correctly displayed
>>>
>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>
>>> In cache.log: "Error negotiating SSL on FD 17:
>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>
>>> Using the following configuration:
>>>
>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>>> sslcrtd_program /lib/squid3/ssl_crtd -s
>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>> startup=5
>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>> ssl_step3 at_step
>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>>> bump ssl_step2 all ssl_bump splice all
>>>
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>> !aNULL
>>> :!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>>
>>>
>>>
>>> Openssl info
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> ---
>>>
>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
>>> OU = "(c)
>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
>>> 3 Public Primary Certification Authority - G5 verify return:1
>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O =
>>> ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE
>>> DE NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>> CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION
>>> FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 3105 bytes and written 616 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : AES128-SHA
>>>     Session-ID:
>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F50
>>> 8
>>> 0
>>> AA94F5
>>> D6B5955DD8DF06608416
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     Start Time: 1493311275
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 0 (ok)
>>> ---
>>> read:errno=0
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Antony Stone
On Friday 28 April 2017 at 11:14:16, David Touzeau wrote:

> I'm fighting to find the correct certificate chain for this website:
> https://www.boutique.afnor.org

$ openssl s_client -host www.boutique.afnor.org -port 443 -prexit -showcerts
CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c)
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public
Primary Certification Authority - G5
verify return:1

depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
Symantec Class 3 Secure Server CA - G4
verify return:1

depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O = ASSOCIATION
FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE DE NORMALISATION, CN =
www.boutique.afnor.org
verify return:1


Antony.

--
"When you talk about Linux versus Windows, you're talking about which
operating system is the best value for money and fit for purpose. That's a very
basic decision customers can make if they have the information available to
them. Quite frankly if we lose to Linux because our customers say it's better
value for money, tough luck for us."

 - Steve Vamos, MD of Microsoft Australia

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Olly Lennox
In reply to this post by David Touzeau-3
Have you tried the CA bundle here:


referenced in the config with:

sslproxy_cafile /etc/squid/ca-bundle.crt

This fixed a lot of the cert errors I experienced.
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: David Touzeau <[hidden email]>
To: 'Yuri Voinov' <[hidden email]>; [hidden email]
Sent: Friday, 28 April 2017, 11:14
Subject: Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

I'm fighting to find the correct certificate chain for this website:
https://www.boutique.afnor.org

I have also added all certificates included in this package:
https://packages.debian.org/fr/sid/ca-certificates


Do you have any tips to help ?

Best regards

-----Message d'origine-----
De : Yuri Voinov [mailto:[hidden email]]
Envoyé : jeudi 27 avril 2017 23:26
À : David Touzeau <[hidden email]>; [hidden email]
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Be careful with intermediate CA's you grabbed. Check they validity, fingerprints and attributes.

Proxying SSL requires much more work with Squid.


28.04.2017 3:12, David Touzeau пишет:
> Thanks Yuri
>
>  ! but i have still have the error " Error negotiating SSL on FD 13:
> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to
> site ( as i seen you can with your squid...??? )
Yes. With two different versions.

>
> Created a file /etc/squid3/cabundle.pem
>
> Added Symantec certificates available here:
> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id
> =INFO2047
>
> add
>
> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>
> and perform a squid -k reconfigure
>
> Missing something ???
May be. I'm recommend to re-initialize mimic certificates DB also and restart Squid, not reconfigure.

Keep in mind, that SSL bump critical important for success. For example, AFAIK stare often opposite to bump (in most cases). Read wiki article, but also remember this functionality still evolving, and can changed without notices. So, experiment.

>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril
> 2017 22:52 À : David Touzeau <[hidden email]>;
> [hidden email] Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)
>
> Squid can't have any intermediate certificates. As by as root CA's.
>
> You can use this:
>
> #  TAG: sslproxy_foreign_intermediate_certs
> #    Many origin servers fail to send their full server certificate
> #    chain for verification, assuming the client already has or can
> #    easily locate any missing intermediate certificates.
> #
> #    Squid uses the certificates from the specified file to fill in
> #    these missing chains when trying to validate origin server
> #    certificate chains.
> #
> #    The file is expected to contain zero or more PEM-encoded
> #    intermediate certificates. These certificates are not treated
> #    as trusted root certificates, and any self-signed certificate in
> #    this file will be ignored.
> #Default:
> # none
>
> However, you should identiry and collect them by yourself.
>
> The biggest problem:
>
> Instead of root CA's, which can be taken from Mozilla's, intermediate
> CAs spreaded over CA's providers, have much shorter valid period (most
> cases up to 5-7 years) and, by this reason, should be continiously
> maintained by proxy admin.
>
> Also, remove this:
>
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
> From your config. Don't. Never. This is completely disable ANY
> security checks for certificates, which leads to giant vulnerability to your users.
> ssl_proxy_cert_error should be restricted by very specific ACL(s) in
> your config only for number of sites you trust.
>
> 28.04.2017 2:27, David Touzeau пишет:
>> Hi yuri
>>
>> I did not know if squid have Symantec intermediate certificate Squid
>> is installed as default...
>> Any howto ?
>>
>>
>> -----Message d'origine-----
>> De : squid-users [mailto:[hidden email]]
>> De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>
>> Look. It can be intermediate certificates issue.
>>
>> Does Squid have Symantec intermediate certificates?
>>
>>
>> 27.04.2017 22:47, David Touzeau пишет:
>>> Hi,
>>> I'm unable to access to https://www.boutique.afnor.org website.
>>> I would like to know if this issue cannot be fixed and must deny
>>> bump website to fix it.
>>> Without Squid the website is correctly displayed
>>>
>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>
>>> In cache.log: "Error negotiating SSL on FD 17:
>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>
>>> Using the following configuration:
>>>
>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>>> sslcrtd_program /lib/squid3/ssl_crtd -s
>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>> startup=5
>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>> ssl_step3 at_step
>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>>> bump ssl_step2 all ssl_bump splice all
>>>
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>> !aNULL
>>> :!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>>
>>>
>>>
>>> Openssl info
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> ---
>>>
>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
>>> OU = "(c)
>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
>>> 3 Public Primary Certification Authority - G5 verify return:1
>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O =
>>> ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE
>>> DE NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>> CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION
>>> FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 3105 bytes and written 616 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>    Protocol  : TLSv1
>>>    Cipher    : AES128-SHA
>>>    Session-ID:
>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>    Session-ID-ctx:
>>>    Master-Key:
>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F50
>>> 8
>>> 0
>>> AA94F5
>>> D6B5955DD8DF06608416
>>>    Key-Arg  : None
>>>    PSK identity: None
>>>    PSK identity hint: None
>>>    SRP username: None
>>>    Start Time: 1493311275
>>>    Timeout  : 300 (sec)
>>>    Verify return code: 0 (ok)
>>> ---
>>> read:errno=0
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Rafael Akchurin
In reply to this post by David Touzeau-3
Hello David and all,

According to https://www.ssllabs.com/ssltest/analyze.html?d=www.boutique.afnor.org&hideResults=on you do not need to add any intermediate certificates  to system storage - site seems to be sending the whole chain as it should...

BUT the overall site SSL rating is so bad..

Raf

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of David Touzeau
Sent: Friday, April 28, 2017 10:14 AM
To: 'Yuri Voinov'; [hidden email]
Subject: Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

I'm fighting to find the correct certificate chain for this website:
https://www.boutique.afnor.org

I have also added all certificates included in this package:
https://packages.debian.org/fr/sid/ca-certificates


Do you have any tips to help ?

Best regards

-----Message d'origine-----
De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril 2017 23:26 À : David Touzeau <[hidden email]>; [hidden email] Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Be careful with intermediate CA's you grabbed. Check they validity, fingerprints and attributes.

Proxying SSL requires much more work with Squid.


28.04.2017 3:12, David Touzeau пишет:
> Thanks Yuri
>
>  ! but i have still have the error " Error negotiating SSL on FD 13:
> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to
> site ( as i seen you can with your squid...??? )
Yes. With two different versions.

>
> Created a file /etc/squid3/cabundle.pem
>
> Added Symantec certificates available here:
> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id
> =INFO2047
>
> add
>
> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>
> and perform a squid -k reconfigure
>
> Missing something ???
May be. I'm recommend to re-initialize mimic certificates DB also and restart Squid, not reconfigure.

Keep in mind, that SSL bump critical important for success. For example, AFAIK stare often opposite to bump (in most cases). Read wiki article, but also remember this functionality still evolving, and can changed without notices. So, experiment.

>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril
> 2017 22:52 À : David Touzeau <[hidden email]>;
> [hidden email] Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)
>
> Squid can't have any intermediate certificates. As by as root CA's.
>
> You can use this:
>
> #  TAG: sslproxy_foreign_intermediate_certs
> #    Many origin servers fail to send their full server certificate
> #    chain for verification, assuming the client already has or can
> #    easily locate any missing intermediate certificates.
> #
> #    Squid uses the certificates from the specified file to fill in
> #    these missing chains when trying to validate origin server
> #    certificate chains.
> #
> #    The file is expected to contain zero or more PEM-encoded
> #    intermediate certificates. These certificates are not treated
> #    as trusted root certificates, and any self-signed certificate in
> #    this file will be ignored.
> #Default:
> # none
>
> However, you should identiry and collect them by yourself.
>
> The biggest problem:
>
> Instead of root CA's, which can be taken from Mozilla's, intermediate
> CAs spreaded over CA's providers, have much shorter valid period (most
> cases up to 5-7 years) and, by this reason, should be continiously
> maintained by proxy admin.
>
> Also, remove this:
>
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_error allow all
>
> From your config. Don't. Never. This is completely disable ANY
> security checks for certificates, which leads to giant vulnerability to your users.
> ssl_proxy_cert_error should be restricted by very specific ACL(s) in
> your config only for number of sites you trust.
>
> 28.04.2017 2:27, David Touzeau пишет:
>> Hi yuri
>>
>> I did not know if squid have Symantec intermediate certificate Squid
>> is installed as default...
>> Any howto ?
>>
>>
>> -----Message d'origine-----
>> De : squid-users [mailto:[hidden email]]
>> De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>
>> Look. It can be intermediate certificates issue.
>>
>> Does Squid have Symantec intermediate certificates?
>>
>>
>> 27.04.2017 22:47, David Touzeau пишет:
>>> Hi,
>>> I'm unable to access to https://www.boutique.afnor.org website.
>>> I would like to know if this issue cannot be fixed and must deny
>>> bump website to fix it.
>>> Without Squid the website is correctly displayed
>>>
>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>
>>> In cache.log: "Error negotiating SSL on FD 17:
>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>
>>> Using the following configuration:
>>>
>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>>> sslcrtd_program /lib/squid3/ssl_crtd -s
>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>> startup=5
>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>> ssl_step3 at_step
>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>>> bump ssl_step2 all ssl_bump splice all
>>>
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>> !aNULL
>>> :!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>>
>>>
>>>
>>> Openssl info
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ------
>>> ---
>>>
>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
>>> OU = "(c)
>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
>>> 3 Public Primary Certification Authority - G5 verify return:1
>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O =
>>> ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE
>>> DE NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>> CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION
>>> FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>> NORMALISATION/CN=www.boutique.afnor.org
>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 3105 bytes and written 616 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : AES128-SHA
>>>     Session-ID:
>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F50
>>> 8
>>> 0
>>> AA94F5
>>> D6B5955DD8DF06608416
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     Start Time: 1493311275
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 0 (ok)
>>> ---
>>> read:errno=0
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Yuri Voinov
Raf,

intermediate CAs required anyway. Not all good good webmasters - just a
focus of the world's Good - add intermediate certificates to the chain. ;-)

Evil proxy administrators - the focus of the world's Evil - must do this
manually. Still :-D

28.04.2017 22:00, Rafael Akchurin пишет:

> Hello David and all,
>
> According to https://www.ssllabs.com/ssltest/analyze.html?d=www.boutique.afnor.org&hideResults=on you do not need to add any intermediate certificates  to system storage - site seems to be sending the whole chain as it should...
>
> BUT the overall site SSL rating is so bad..
>
> Raf
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of David Touzeau
> Sent: Friday, April 28, 2017 10:14 AM
> To: 'Yuri Voinov'; [hidden email]
> Subject: Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> I'm fighting to find the correct certificate chain for this website:
> https://www.boutique.afnor.org
>
> I have also added all certificates included in this package:
> https://packages.debian.org/fr/sid/ca-certificates
>
>
> Do you have any tips to help ?
>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril 2017 23:26 À : David Touzeau <[hidden email]>; [hidden email] Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Be careful with intermediate CA's you grabbed. Check they validity, fingerprints and attributes.
>
> Proxying SSL requires much more work with Squid.
>
>
> 28.04.2017 3:12, David Touzeau пишет:
>> Thanks Yuri
>>
>>  ! but i have still have the error " Error negotiating SSL on FD 13:
>> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse to
>> site ( as i seen you can with your squid...??? )
> Yes. With two different versions.
>> Created a file /etc/squid3/cabundle.pem
>>
>> Added Symantec certificates available here:
>> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id
>> =INFO2047
>>
>> add
>>
>> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>>
>> and perform a squid -k reconfigure
>>
>> Missing something ???
> May be. I'm recommend to re-initialize mimic certificates DB also and restart Squid, not reconfigure.
>
> Keep in mind, that SSL bump critical important for success. For example, AFAIK stare often opposite to bump (in most cases). Read wiki article, but also remember this functionality still evolving, and can changed without notices. So, experiment.
>> Best regards
>>
>> -----Message d'origine-----
>> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril
>> 2017 22:52 À : David Touzeau <[hidden email]>;
>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code:
>> SQUID_ERR_SSL_HANDSHAKE)
>>
>> Squid can't have any intermediate certificates. As by as root CA's.
>>
>> You can use this:
>>
>> #  TAG: sslproxy_foreign_intermediate_certs
>> #    Many origin servers fail to send their full server certificate
>> #    chain for verification, assuming the client already has or can
>> #    easily locate any missing intermediate certificates.
>> #
>> #    Squid uses the certificates from the specified file to fill in
>> #    these missing chains when trying to validate origin server
>> #    certificate chains.
>> #
>> #    The file is expected to contain zero or more PEM-encoded
>> #    intermediate certificates. These certificates are not treated
>> #    as trusted root certificates, and any self-signed certificate in
>> #    this file will be ignored.
>> #Default:
>> # none
>>
>> However, you should identiry and collect them by yourself.
>>
>> The biggest problem:
>>
>> Instead of root CA's, which can be taken from Mozilla's, intermediate
>> CAs spreaded over CA's providers, have much shorter valid period (most
>> cases up to 5-7 years) and, by this reason, should be continiously
>> maintained by proxy admin.
>>
>> Also, remove this:
>>
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>>
>> From your config. Don't. Never. This is completely disable ANY
>> security checks for certificates, which leads to giant vulnerability to your users.
>> ssl_proxy_cert_error should be restricted by very specific ACL(s) in
>> your config only for number of sites you trust.
>>
>> 28.04.2017 2:27, David Touzeau пишет:
>>> Hi yuri
>>>
>>> I did not know if squid have Symantec intermediate certificate Squid
>>> is installed as default...
>>> Any howto ?
>>>
>>>
>>> -----Message d'origine-----
>>> De : squid-users [mailto:[hidden email]]
>>> De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>>
>>> Look. It can be intermediate certificates issue.
>>>
>>> Does Squid have Symantec intermediate certificates?
>>>
>>>
>>> 27.04.2017 22:47, David Touzeau пишет:
>>>> Hi,
>>>> I'm unable to access to https://www.boutique.afnor.org website.
>>>> I would like to know if this issue cannot be fixed and must deny
>>>> bump website to fix it.
>>>> Without Squid the website is correctly displayed
>>>>
>>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>>
>>>> In cache.log: "Error negotiating SSL on FD 17:
>>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>>
>>>> Using the following configuration:
>>>>
>>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>>>> sslcrtd_program /lib/squid3/ssl_crtd -s
>>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>>> startup=5
>>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>>> ssl_step3 at_step
>>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>>>> bump ssl_step2 all ssl_bump splice all
>>>>
>>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>>> !aNULL
>>>> :!eNULL
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>> sslproxy_cert_error allow all
>>>>
>>>>
>>>>
>>>> Openssl info
>>>> --------------------------------------------------------------------
>>>> -
>>>> -
>>>> ------
>>>> --------------------------------------------------------------------
>>>> -
>>>> -
>>>> ------
>>>> ---
>>>>
>>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>>
>>>> CONNECTED(00000003)
>>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
>>>> OU = "(c)
>>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
>>>> 3 Public Primary Certification Authority - G5 verify return:1
>>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1
>>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O =
>>>> ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE
>>>> DE NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>>> ---
>>>> Certificate chain
>>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>>> NORMALISATION/CN=www.boutique.afnor.org
>>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>>> CERTIFICATE----- ../..
>>>> -----END CERTIFICATE-----
>>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>>> -----END CERTIFICATE-----
>>>> ---
>>>> Server certificate
>>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION
>>>> FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>>> NORMALISATION/CN=www.boutique.afnor.org
>>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 3105 bytes and written 616 bytes
>>>> ---
>>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>>     Protocol  : TLSv1
>>>>     Cipher    : AES128-SHA
>>>>     Session-ID:
>>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>>     Session-ID-ctx:
>>>>     Master-Key:
>>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F50
>>>> 8
>>>> 0
>>>> AA94F5
>>>> D6B5955DD8DF06608416
>>>>     Key-Arg   : None
>>>>     PSK identity: None
>>>>     PSK identity hint: None
>>>>     SRP username: None
>>>>     Start Time: 1493311275
>>>>     Timeout   : 300 (sec)
>>>>     Verify return code: 0 (ok)
>>>> ---
>>>> read:errno=0
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> [hidden email]
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> --
>>> Bugs to the Future
>>>
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

David Touzeau-3
Added

Symantec Class 3 Secure Server CA - G4
VeriSign Class 3 Public Primary Certification Authority - G5

Same issue :=(



-----Message d'origine-----
De : Yuri Voinov [mailto:[hidden email]]
Envoyé : vendredi 28 avril 2017 19:31
À : Rafael Akchurin <[hidden email]>; David Touzeau <[hidden email]>; [hidden email]
Objet : Re: [squid-users] 3.5.25: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Raf,

intermediate CAs required anyway. Not all good good webmasters - just a focus of the world's Good - add intermediate certificates to the chain. ;-)

Evil proxy administrators - the focus of the world's Evil - must do this manually. Still :-D

28.04.2017 22:00, Rafael Akchurin пишет:

> Hello David and all,
>
> According to https://www.ssllabs.com/ssltest/analyze.html?d=www.boutique.afnor.org&hideResults=on you do not need to add any intermediate certificates  to system storage - site seems to be sending the whole chain as it should...
>
> BUT the overall site SSL rating is so bad..
>
> Raf
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
> On Behalf Of David Touzeau
> Sent: Friday, April 28, 2017 10:14 AM
> To: 'Yuri Voinov'; [hidden email]
> Subject: Re: [squid-users] 3.5.25: (71) Protocol error (TLS code:
> SQUID_ERR_SSL_HANDSHAKE)
>
> I'm fighting to find the correct certificate chain for this website:
> https://www.boutique.afnor.org
>
> I have also added all certificates included in this package:
> https://packages.debian.org/fr/sid/ca-certificates
>
>
> Do you have any tips to help ?
>
> Best regards
>
> -----Message d'origine-----
> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril
> 2017 23:26 À : David Touzeau <[hidden email]>;
> [hidden email] Objet : Re: [squid-users] 3.5.25:
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Be careful with intermediate CA's you grabbed. Check they validity, fingerprints and attributes.
>
> Proxying SSL requires much more work with Squid.
>
>
> 28.04.2017 3:12, David Touzeau пишет:
>> Thanks Yuri
>>
>>  ! but i have still have the error " Error negotiating SSL on FD 13:
>> error:00000000:lib(0):func(0):reason(0) (5/0/0) " and cannot browse
>> to site ( as i seen you can with your squid...??? )
> Yes. With two different versions.
>> Created a file /etc/squid3/cabundle.pem
>>
>> Added Symantec certificates available here:
>> https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&i
>> d
>> =INFO2047
>>
>> add
>>
>> sslproxy_foreign_intermediate_certs  /etc/squid3/cabundle.pem
>>
>> and perform a squid -k reconfigure
>>
>> Missing something ???
> May be. I'm recommend to re-initialize mimic certificates DB also and restart Squid, not reconfigure.
>
> Keep in mind, that SSL bump critical important for success. For example, AFAIK stare often opposite to bump (in most cases). Read wiki article, but also remember this functionality still evolving, and can changed without notices. So, experiment.
>> Best regards
>>
>> -----Message d'origine-----
>> De : Yuri Voinov [mailto:[hidden email]] Envoyé : jeudi 27 avril
>> 2017 22:52 À : David Touzeau <[hidden email]>;
>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>> (71) Protocol error (TLS code:
>> SQUID_ERR_SSL_HANDSHAKE)
>>
>> Squid can't have any intermediate certificates. As by as root CA's.
>>
>> You can use this:
>>
>> #  TAG: sslproxy_foreign_intermediate_certs
>> #    Many origin servers fail to send their full server certificate
>> #    chain for verification, assuming the client already has or can
>> #    easily locate any missing intermediate certificates.
>> #
>> #    Squid uses the certificates from the specified file to fill in
>> #    these missing chains when trying to validate origin server
>> #    certificate chains.
>> #
>> #    The file is expected to contain zero or more PEM-encoded
>> #    intermediate certificates. These certificates are not treated
>> #    as trusted root certificates, and any self-signed certificate in
>> #    this file will be ignored.
>> #Default:
>> # none
>>
>> However, you should identiry and collect them by yourself.
>>
>> The biggest problem:
>>
>> Instead of root CA's, which can be taken from Mozilla's, intermediate
>> CAs spreaded over CA's providers, have much shorter valid period
>> (most cases up to 5-7 years) and, by this reason, should be
>> continiously maintained by proxy admin.
>>
>> Also, remove this:
>>
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>>
>> From your config. Don't. Never. This is completely disable ANY
>> security checks for certificates, which leads to giant vulnerability to your users.
>> ssl_proxy_cert_error should be restricted by very specific ACL(s) in
>> your config only for number of sites you trust.
>>
>> 28.04.2017 2:27, David Touzeau пишет:
>>> Hi yuri
>>>
>>> I did not know if squid have Symantec intermediate certificate Squid
>>> is installed as default...
>>> Any howto ?
>>>
>>>
>>> -----Message d'origine-----
>>> De : squid-users [mailto:[hidden email]]
>>> De la part de Yuri Voinov Envoyé : jeudi 27 avril 2017 22:09 À :
>>> [hidden email] Objet : Re: [squid-users] 3.5.25:
>>> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>>
>>> Look. It can be intermediate certificates issue.
>>>
>>> Does Squid have Symantec intermediate certificates?
>>>
>>>
>>> 27.04.2017 22:47, David Touzeau пишет:
>>>> Hi,
>>>> I'm unable to access to https://www.boutique.afnor.org website.
>>>> I would like to know if this issue cannot be fixed and must deny
>>>> bump website to fix it.
>>>> Without Squid the website is correctly displayed
>>>>
>>>> Squid claim an error page with "(71) Protocol error (TLS code:
>>>> SQUID_ERR_SSL_HANDSHAKE)"
>>>>
>>>> In cache.log: "Error negotiating SSL on FD 17:
>>>> error:00000000:lib(0):func(0):reason(0) (5/0/0)"
>>>>
>>>> Using the following configuration:
>>>>
>>>> http_port 0.0.0.0:3128  name=MyPortNameID20 ssl-bump
>>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>>> cert=/etc/squid3/ssl/0c451f46b4d05031560d8195f30165cb.dyn
>>>> sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
>>>> sslcrtd_program /lib/squid3/ssl_crtd -s
>>>> /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16
>>>> startup=5
>>>> idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert
>>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>>> ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl
>>>> ssl_step3 at_step
>>>> SslBump3 ssl_bump peek ssl_step1 ssl_bump splice FakeCert ssl_bump
>>>> bump ssl_step2 all ssl_bump splice all
>>>>
>>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher
>>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:
>>>> !aNULL
>>>> :!eNULL
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>> sslproxy_cert_error allow all
>>>>
>>>>
>>>>
>>>> Openssl info
>>>> -------------------------------------------------------------------
>>>> -
>>>> -
>>>> -
>>>> ------
>>>> -------------------------------------------------------------------
>>>> -
>>>> -
>>>> -
>>>> ------
>>>> ---
>>>>
>>>> openssl s_client -connect 195.115.26.58:443 -showcerts
>>>>
>>>> CONNECTED(00000003)
>>>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
>>>> OU = "(c)
>>>> 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
>>>> 3 Public Primary Certification Authority - G5 verify return:1
>>>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust
>>>> Network, CN = Symantec Class 3 Secure Server CA - G4 verify
>>>> return:1
>>>> depth=0 C = FR, ST = Seine Saint Denis, L = ST DENIS, O =
>>>> ASSOCIATION FRANCAISE DE NORMALISATION, OU = ASSOCIATION FRANCAISE
>>>> DE NORMALISATION, CN = www.boutique.afnor.org verify return:1
>>>> ---
>>>> Certificate chain
>>>>  0 s:/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION FRANCAISE
>>>> DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>>> NORMALISATION/CN=www.boutique.afnor.org
>>>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec Class 3 Secure Server CA - G4 -----BEGIN
>>>> CERTIFICATE----- ../..
>>>> -----END CERTIFICATE-----
>>>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>>>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
>>>> Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- ../..
>>>> -----END CERTIFICATE-----
>>>> ---
>>>> Server certificate
>>>> subject=/C=FR/ST=Seine Saint Denis/L=ST DENIS/O=ASSOCIATION
>>>> FRANCAISE DE NORMALISATION/OU=ASSOCIATION FRANCAISE DE
>>>> NORMALISATION/CN=www.boutique.afnor.org
>>>> issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec Class 3 Secure Server CA - G4
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 3105 bytes and written 616 bytes
>>>> ---
>>>> New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048
>>>> bit Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>>     Protocol  : TLSv1
>>>>     Cipher    : AES128-SHA
>>>>     Session-ID:
>>>> 833B0000A2346F50C5AAFC6B5188B4EBD9304CD25411BECFF0713F8D76C65D9D
>>>>     Session-ID-ctx:
>>>>     Master-Key:
>>>> D2DF6C62264D03D7D44AF44EB8C0B1B7AD0E650D34DF6EBEB1CBEBFE4F30CB9C6F5
>>>> 0
>>>> 8
>>>> 0
>>>> AA94F5
>>>> D6B5955DD8DF06608416
>>>>     Key-Arg   : None
>>>>     PSK identity: None
>>>>     PSK identity hint: None
>>>>     SRP username: None
>>>>     Start Time: 1493311275
>>>>     Timeout   : 300 (sec)
>>>>     Verify return code: 0 (ok)
>>>> ---
>>>> read:errno=0
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> [hidden email]
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> --
>>> Bugs to the Future
>>>
>> --
>> Bugs to the Future
>>
> --
> Bugs to the Future
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users