Gateway Proxy failure - but only with one browser ...

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Gateway Proxy failure - but only with one browser ...

Walter H.
I have two squids,

one does SSL bump (3.5latest CentOS 6)
the other doesn't SSL bump (3.4latest CentOS 6)

everything works,

I have a site that uses SSL/TLS, and two different browsers (one in a VM
with old windows),

when I use the squid without SSL bump, the site works with both browsers,

but when I use the squid with SSL bump, with the old browser I get a
"Gateway Proxy failure"

the log shows this:

host - - [29/Apr/2020:19:04:11 +0200] "CONNECT ssl.mathemainzel.info:443
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_DIRECT
SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:04:11 +0200] "GET
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-"
"Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217
Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info

in compare to the log when using the other browser ...

host - - [29/Apr/2020:19:05:53 +0200] "CONNECT ssl.mathemainzel.info:443
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9)
Goanna/4.5 PaleMoon/28.9.1" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:05:53 +0200] "GET
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977
"https://ssl.mathemainzel.info/" "Mozilla/5.0 (Windows NT 10.0; Win64;
x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT
SNI:ssl.mathemainzel.info

is this caused by the browser on old OS itself?

squid.conf (of squid with SSL bump)

reply_header_access Public-Key-Pins deny all

reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all

sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8

http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem
options=NO_SSLv2,NO_SSLv3


Thanks,
Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Gateway Proxy failure - but only with one browser ...

Walter H.
It is very probable that the following has the same reason - but I don't
know what's causing it ...

the old browser on old OS gives this

<errorpage>
While trying to retrieve the URL: https://mein.elba.hypo.at/*

The following error was encountered:

     * Failed to establish a secure connection to 217.13.188.204

The system returned:

     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

     Handshake with SSL server failed: error:1407742E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
...
</errorpage>

the  new browser works ...

I thought that the SSL connection between browser and squid is different
from the one between squid and server;
how can there be a SSL handshake problem between squid and server when
using an old browser?


On 29.04.2020 19:26, Walter H. wrote:

> I have two squids,
>
> one does SSL bump (3.5latest CentOS 6)
> the other doesn't SSL bump (3.4latest CentOS 6)
>
> everything works,
>
> I have a site that uses SSL/TLS, and two different browsers (one in a
> VM with old windows),
>
> when I use the squid without SSL bump, the site works with both browsers,
>
> but when I use the squid with SSL bump, with the old browser I get a
> "Gateway Proxy failure"
>
> the log shows this:
>
> host - - [29/Apr/2020:19:04:11 +0200] "CONNECT
> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows;
> U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
> host - - [29/Apr/2020:19:04:11 +0200] "GET
> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-"
> "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217
> Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info
>
> in compare to the log when using the other browser ...
>
> host - - [29/Apr/2020:19:05:53 +0200] "CONNECT
> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT
> 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1"
> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
> host - - [29/Apr/2020:19:05:53 +0200] "GET
> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977
> "https://ssl.mathemainzel.info/" "Mozilla/5.0 (Windows NT 10.0; Win64;
> x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT
> SNI:ssl.mathemainzel.info
>
> is this caused by the browser on old OS itself?
>
> squid.conf (of squid with SSL bump)
>
> reply_header_access Public-Key-Pins deny all
>
> reply_header_access Strict-Transport-Security deny all
> reply_header_replace Strict-Transport-Security max-age=0;
> includeSubDomains
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"
>
> ssl_bump peek step1
> ssl_bump splice nobumpsites
> ssl_bump stare step2
> ssl_bump bump all
>
> sslproxy_cafile /etc/squid/ca-bundle.trust.crt
> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db
> -M 16MB
> sslcrtd_children 8
>
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem
> options=NO_SSLv2,NO_SSLv3
>
>
> Thanks,
> Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Gateway Proxy failure - but only with one browser ...

Amos Jeffries
Administrator
On 30/04/20 6:16 am, Walter H. wrote:

> It is very probable that the following has the same reason - but I don't
> know what's causing it ...
>
> the old browser on old OS gives this
>
> <errorpage>
> While trying to retrieve the URL: https://mein.elba.hypo.at/*
>
> The following error was encountered:
>
>     * Failed to establish a secure connection to 217.13.188.204
>
> The system returned:
>
>     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
>     Handshake with SSL server failed: error:1407742E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> ...
> </errorpage>
>
> the  new browser works ...
>
> I thought that the SSL connection between browser and squid is different
> from the one between squid and server;
> how can there be a SSL handshake problem between squid and server when
> using an old browser?
>

For transparency and because TLS requirements are embedded in the
certificates Squid makes the connection to the server as close as
possible to the same properties the client connection uses.
 The change in browser thus affects both what Squid can pass on to the
server, and what can be passed back from the server to the client.

...

>> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA

This is a misconfiguration. Please drop the DONT_VERIFY_PEER.

If the server is not validating using the CA certs you told Squid were
the *only* acceptible CAs:

  sslproxy_cafile /etc/squid/ca-bundle.trust.crt

... then either the contents of that file are wrong, or the server
connection is compromised. Determining the latter is the whole point of TLS.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Gateway Proxy failure - but only with one browser ...

Alex Rousskov
In reply to this post by Walter H.
On 4/29/20 2:16 PM, Walter H. wrote:
> It is very probable that the following has the same reason - but I don't
> know what's causing it ...

While your symptoms are a bit different, you might be suffering from the
problem fixed by https://github.com/squid-cache/squid/pull/588


> Handshake with SSL server failed: error:1407742E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version


> I thought that the SSL connection between browser and squid is different
> from the one between squid and server;

When staring or bumping, it is. However, "different" does not imply
"unrelated" (as discussed below).


> how can there be a SSL handshake problem between squid and server when
> using an old browser?

Depending on the conditions, Squid relays parts of the browser handshake
when talking to the server. For more (incomplete/stale) details, please
see the "Mimicking TLS Client Hello properties when staring" section at
https://wiki.squid-cache.org/Features/SslPeekAndSplice

IIRC, Squid mimics at least some properties because we wanted Squid to
"represent" the client to the server as faithfylly as possible (i.e.,
minimize Squid-introduced changes to the TLS-negotiated parameters). In
retrospect, I am not sure that was the right decision. Perhaps the
choice should be the opposite or configurable.

Please note that I am not trying to justify Squid actions. I am only
explaining why what you observe may be possible. One could argue that
Squid should not mimic the TLS client at all (when staring). I do not
recall whether anybody has tried to make that argument.


HTH,

Alex.


> On 29.04.2020 19:26, Walter H. wrote:
>> I have two squids,
>>
>> one does SSL bump (3.5latest CentOS 6)
>> the other doesn't SSL bump (3.4latest CentOS 6)
>>
>> everything works,
>>
>> I have a site that uses SSL/TLS, and two different browsers (one in a
>> VM with old windows),
>>
>> when I use the squid without SSL bump, the site works with both browsers,
>>
>> but when I use the squid with SSL bump, with the old browser I get a
>> "Gateway Proxy failure"
>>
>> the log shows this:
>>
>> host - - [29/Apr/2020:19:04:11 +0200] "CONNECT
>> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows;
>> U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
>> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
>> host - - [29/Apr/2020:19:04:11 +0200] "GET
>> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-"
>> "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217
>> Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info
>>
>> in compare to the log when using the other browser ...
>>
>> host - - [29/Apr/2020:19:05:53 +0200] "CONNECT
>> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1"
>> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
>> host - - [29/Apr/2020:19:05:53 +0200] "GET
>> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977
>> "https://ssl.mathemainzel.info/" "Mozilla/5.0 (Windows NT 10.0; Win64;
>> x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT
>> SNI:ssl.mathemainzel.info
>>
>> is this caused by the browser on old OS itself?
>>
>> squid.conf (of squid with SSL bump)
>>
>> reply_header_access Public-Key-Pins deny all
>>
>> reply_header_access Strict-Transport-Security deny all
>> reply_header_replace Strict-Transport-Security max-age=0;
>> includeSubDomains
>>
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"
>>
>> ssl_bump peek step1
>> ssl_bump splice nobumpsites
>> ssl_bump stare step2
>> ssl_bump bump all
>>
>> sslproxy_cafile /etc/squid/ca-bundle.trust.crt
>> sslproxy_cipher
>> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
>>
>> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db
>> -M 16MB
>> sslcrtd_children 8
>>
>> http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem
>> options=NO_SSLv2,NO_SSLv3
>>
>>
>> Thanks,
>> Walter
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users