Cant open some HTTPS with Squid 4.8

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Cant open some HTTPS with Squid 4.8

KOTOXJle6
Im trying to setup Squid 4.8 on Ubuntu 18.04 LTS with HTTPS redirecting to
squid error page for sites in ACL's. Yesterday i faced major problem HTTPS
sites doesnt open normally in IE11/EDGE and show blank page only + squid
replace certificate. If i tap F5, sometimes site opens like it should and
certificate replacement doesnt happen...and it works not for all sites. I
couldn't pinpoint the dependencies. I also can open some sites like
rambler.ru, kanobu.ru, alexa.com normally. The most interesting thing is
that other browsers like Chrome, FF and even Opera open all sites like it
should and spoof cert + redirect to error page only if site persist in ACL.

What i already did:
- Disabled IPv6 on Squid host
- Disabled/Enabled TLS in IE in any variations
- Disabled SPDY/3

Bump settings in squid.conf:

/http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
ssl_bump peek all/

I have this errors in /var/log/squid/cache.log

/ERROR: negotiating TLS on FD 46: error:1425F175:SSL
routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)/

/ERROR: negotiating TLS on FD 104: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure (1/-1/0)
/

/ERROR: negotiating TLS on FD 27: error:1423406E:SSL
routines:tls_parse_stoc_sct:bad extension (1/-1/0)/

Error in access.log

/TCP_DENIED/407 4141 CONNECT i.ibb.co:443 - HIER_NONE/- text/html/

Same configuration work well on Squid 4.1.

Sorry for complicated description, im new here and its really hard f or me.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant open some HTTPS with Squid 4.8

Amos Jeffries
Administrator
On 3/09/19 11:47 pm, KOTOXJle6 wrote:

> Im trying to setup Squid 4.8 on Ubuntu 18.04 LTS with HTTPS redirecting to
> squid error page for sites in ACL's. Yesterday i faced major problem HTTPS
> sites doesnt open normally in IE11/EDGE and show blank page only + squid
> replace certificate. If i tap F5, sometimes site opens like it should and
> certificate replacement doesnt happen...and it works not for all sites. I
> couldn't pinpoint the dependencies. I also can open some sites like
> rambler.ru, kanobu.ru, alexa.com normally. The most interesting thing is
> that other browsers like Chrome, FF and even Opera open all sites like it
> should and spoof cert + redirect to error page only if site persist in ACL.
>

Huh? what is "only if site persist in ACL" meaning?


> What i already did:
> - Disabled IPv6 on Squid host
> - Disabled/Enabled TLS in IE in any variations
> - Disabled SPDY/3
>
> Bump settings in squid.conf:
>
> /http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
> ssl_bump peek all/
>
> I have this errors in /var/log/squid/cache.log
>
> /ERROR: negotiating TLS on FD 46: error:1425F175:SSL
> routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)/
>
> /ERROR: negotiating TLS on FD 104: error:14094410:SSL
> routines:ssl3_read_bytes:sslv3 alert handshake failure (1/-1/0)
> /
>
> /ERROR: negotiating TLS on FD 27: error:1423406E:SSL
> routines:tls_parse_stoc_sct:bad extension (1/-1/0)/
>

Any of the above errors may occur when connecting a specific client to a
specific server. SSL-Bump is riding the fine line of capability/feature
matching between three TLS/SSL librarys and the software using them -
two sets of which are remote machinery.
 All of the above errors (and more) will result in the symptoms you
describe happening. If you don't already know what they mean, use your
favourite search engine. They are quite common and well explained
already by others.

To make any real progress you (or someone) will need to view the TLS
Hello exchanges happening on *both* the client<->Squid and the
Squid<->server connections. I suggest combining a tcpdump capture
(_full_ packets) compared with Squid "debug_options 11,2" info about
what the FD are being used for.
 It may be obvious what is going on when you look at that info.


[ If that process is new to you, then I do highly recommend you take a
little time to become familiar. TLS is a changing environment and
SSL-Bump will be presenting you with more these types of error/problem
that need dealing with in future. ]


> Error in access.log
>
> /TCP_DENIED/407 4141 CONNECT i.ibb.co:443 - HIER_NONE/- text/html/
>

407 - HTTP authentication credentials are required for this CONNECT
transaction to happen.

IMPORTANT:  When you have configured proxy authentication and SSL-Bump
you need to be *very* careful to ensure the proxy requests (and gets)
the credentials on  the initial client CONNECT request - *and* that the
credentials remain valid for the entire time the HTTPS tunnel is going
to be open. If their need is only discovered later (or any
refresh/update to them) then all Squid can do is abort the HTTPS with an
error.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant open some HTTPS with Squid 4.8

Alex Rousskov
In reply to this post by KOTOXJle6
On 9/3/19 7:47 AM, KOTOXJle6 wrote:

> I have this errors in /var/log/squid/cache.log
>
> /ERROR: negotiating TLS on FD 46: error:1425F175:SSL
> routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)/

According to the discussion linked below, these errors may be "normal":
https://security.stackexchange.com/questions/160922/ssl-error-inappropriate-fallback-and-tls-fallback-scsv

To confirm that they are normal, you would need to isolate traffic from
the affected client and see whether its previous connection or tunneling
attempt has failed for some reason.


> /ERROR: negotiating TLS on FD 104: error:14094410:SSL
> routines:ssl3_read_bytes:sslv3 alert handshake failure (1/-1/0)
> /
>
> /ERROR: negotiating TLS on FD 27: error:1423406E:SSL
> routines:tls_parse_stoc_sct:bad extension (1/-1/0)/

A similar problem was discussed at
http://lists.squid-cache.org/pipermail/squid-users/2019-April/020506.html

If your OpenSSL installation is reasonably fresh, then you will need to
isolate the failure to where you can connect TCP packet samples and/or
Squid debugging logs.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant open some HTTPS with Squid 4.8

KOTOXJle6
In reply to this post by Amos Jeffries
Amos Jeffries wrote
> Huh? what is "only if site persist in ACL" meaning?

Ill try to explain by example. I have 2 ACL - blockvideo and blockvpn, they
contain urls for video hostings and vpn services. This ACLs appyed to domain
groups blockvideo and blockvpn. I have 2 users - adm1 and user1. User1 is a
member of both groups and adm1 is not.
When user1 trying to open any sites from acls (even https), he should be
redirected to squid error page wich tells him that access restricted and he
should contact local administrator.


Amos Jeffries wrote
> Any of the above errors may occur when connecting a specific client to a
> specific server. SSL-Bump is riding the fine line of capability/feature
> matching between three TLS/SSL librarys and the software using them -
> two sets of which are remote machinery.
>  All of the above errors (and more) will result in the symptoms you
> describe happening. If you don't already know what they mean, use your
> favourite search engine. They are quite common and well explained
> already by others.

At this point I realized that the problem is not in the browser settings.


Amos Jeffries wrote

> To make any real progress you (or someone) will need to view the TLS
> Hello exchanges happening on *both* the client<->Squid and the
> Squid<->server connections. I suggest combining a tcpdump capture
> (_full_ packets) compared with Squid "debug_options 11,2" info about
> what the FD are being used for.
>  It may be obvious what is going on when you look at that info.
>
>
> [ If that process is new to you, then I do highly recommend you take a
> little time to become familiar. TLS is a changing environment and
> SSL-Bump will be presenting you with more these types of error/problem
> that need dealing with in future. ]

Thank you. Missed that section somehow. Ill try to do this.



Amos Jeffries wrote

> 407 - HTTP authentication credentials are required for this CONNECT
> transaction to happen.
>
> IMPORTANT:  When you have configured proxy authentication and SSL-Bump
> you need to be *very* careful to ensure the proxy requests (and gets)
> the credentials on  the initial client CONNECT request - *and* that the
> credentials remain valid for the entire time the HTTPS tunnel is going
> to be open. If their need is only discovered later (or any
> refresh/update to them) then all Squid can do is abort the HTTPS with an
> error.

It looks like problem starts at first step of ssl_bump peek. If i understand
it right, problems apper when squid trying to get inside https session to
decide should it bump (if site in acl and user in group) or splice this
connection.  


Alex Rousskov wrote

> According to the discussion linked below, these errors may be "normal":
> https://security.stackexchange.com/questions/160922/ssl-error-inappropriate-fallback-and-tls-fallback-scsv
>
> To confirm that they are normal, you would need to isolate traffic from
> the affected client and see whether its previous connection or tunneling
> attempt has failed for some reason.
>
> A similar problem was discussed at
> http://lists.squid-cache.org/pipermail/squid-users/2019-April/020506.html
>
> If your OpenSSL installation is reasonably fresh, then you will need to
> isolate the failure to where you can connect TCP packet samples and/or
> Squid debugging logs.

Thanks for links. Squid -v shows that this binary uses OpenSSL 1.1.1  11 Sep
2018.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users