Squid SSL-bump error Change Cipher Spec

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid SSL-bump error Change Cipher Spec

johnr
Hi,
 
I have an error when going to a site that is set to be ssl-bumped in squid.
 
I have modified my squid config so that I have not specified any ciphers (I read in another forum post this would be the way to make it closest to the standard openssl).
 
The error that I see in squid cache logs is:  "Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"
 
Comparing two packet captures, one when trying to bump the website and the other when not bumping the website, the difference in sequences is as follows:
 
In the working PCAP:
1) Server Hello, Certificate
2) Client ack
3) Server key exchange, server hello done
4) client ack
5) Client key exchange, change cipher spec, encrypted handshake message (from client)
6) Server change cipher spec
7) Server encrypted handshake message
8) client ack
9) things working
 
In the non-working (ssl-bump) PCAP:
1) Server Hello, Certificate
2) Client ack
3) Server key exchange, server hello done
4) client ack
5) Alert (Level: Fatal, Description: Unexpected Message) (from client)
 
I can attach the PCAPs if it is more helpful, I just didn't want anyone to have to look through all of them in case this was enough to figure out what might be going wrong in the ssl-bumped case.
 
Thank you very much for your help and time,
 
John
 
 
 
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid SSL-bump error Change Cipher Spec

Amos Jeffries
Administrator

On 1/12/18 3:26 pm, John Refwe wrote:
> Hi,
>  
> I have an error when going to a site that is set to be ssl-bumped in squid.
>  
> I have modified my squid config so that I have not specified any ciphers
> (I read in another forum post this would be the way to make it closest
> to the standard openssl).
>  


What are your squid.conf settings now?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid SSL-bump error Change Cipher Spec

johnr
>What are your squid.conf settings now?

http_port 3128 ssl-bump
tls_outgoing_options NO_TICKET,ALL,No_SSLv3 min-version=1.0



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid SSL-bump error Change Cipher Spec

Amos Jeffries
Administrator
On 4/12/18 12:18 pm, johnr wrote:
>> What are your squid.conf settings now?
>
> http_port 3128 ssl-bump

You are missing a CA certificate for the bumping process to use for the
certificates it sends the clients.

Also you do not have any ssl_bump lines here. They are required to tell
Squid which of the TLS/SSL traffic to consider for handling. Without
those lines the ssl-bump on the port does nothing.


> tls_outgoing_options NO_TICKET,ALL,No_SSLv3 min-version=1.0
>

This should be:
 tls_outgoing_options options=NO_TICKET,ALL,No_SSLv3 min-version=1.0

That use of "ALL" there is a bit obscure. What it actually does is
*enable* all sorts of unsafe security features the library would
normally disable by default. Such as 8-bit hashes and very insecure RSA
keys.

The min-version is only required if the library defaults to actively
rejecting TLS/1.0 or such.

To let the library use its defaults you simply do not configure Squid to
require anything at all (ie remove the tls_outgoing_options directive
entirely).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users