Unliked SSL cipher

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Unliked SSL cipher

tkalfaoglu

Hi. Can I ask for assistance solving this problem. Many thanks!

Fedora # rpm -qa|grep squid
squid-4.0.17-1.fc25.x86_64
# uname -a
Linux www.kalfaoglu.net 4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13 01:11:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


ERROR

The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: https://91.198.174.192/*

Failed to establish a secure connection to 91.198.174.192

The system returned:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is [hidden email].



Generated Wed, 19 Apr 2017 06:46:00 GMT by proxy (squid/4.0.17)



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Unliked SSL cipher

Amos Jeffries
Administrator



On 19/04/17 18:49, turgut kalfaoğlu wrote:

Hi. Can I ask for assistance solving this problem. Many thanks!

Fedora # rpm -qa|grep squid
squid-4.0.17-1.fc25.x86_64
# uname -a
Linux www.kalfaoglu.net 4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13 01:11:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux



ERROR

The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: https://91.198.174.192/*

Failed to establish a secure connection to 91.198.174.192

The system returned:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned



The OpenSSL library being used by the proxy does not know what the cipher(s) being offered by the server is/are. It is probably needing an upgrade.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Unliked SSL cipher

dijxie
In reply to this post by tkalfaoglu
Do you recieve the same error while connecting to  
https://www.wikipedia.org?

If you connect to https://91.198.174.192/* directly, your browser
schould warn you about ssl issue; that is because of:

CN = *.wikipedia.org

SAN=
*.wikipedia.org
wikipedia.org
*.m.wikipedia.org
*.zero.wikipedia.org
wikimedia.org
*.wikimedia.org
*.m.wikimedia.org
*.planet.wikimedia.org
mediawiki.org

This certificate is not allowed to be used with IP address (which is
common) and that is the issue I suppose. Certificate is V3 sha256, which
is... perfectly normal.

On 2017-04-19 08:49, turgut kalfaoğlu wrote:

>
> Hi. Can I ask for assistance solving this problem. Many thanks!
>
> Fedora # rpm -qa|grep squid
> squid-4.0.17-1.fc25.x86_64
> # uname -a
> Linux www.kalfaoglu.net 4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13
> 01:11:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
>   ERROR
>
>
>     The requested URL could not be retrieved
>
> ------------------------------------------------------------------------
>
> The following error was encountered while trying to retrieve the URL:
> https://91.198.174.192/*
>
>     *Failed to establish a secure connection to 91.198.174.192*
>
> The system returned:
>
>     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
>     Handshake with SSL server failed: error:140920F8:SSL
>     routines:ssl3_get_server_hello:unknown cipher returned
>
> This proxy and the remote host failed to negotiate a mutually
> acceptable security settings for handling your request. It is possible
> that the remote host does not support secure connections, or the proxy
> is not satisfied with the host security credentials.
>
> Your cache administrator is root
> <mailto:root?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20proxy%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20%2871%29%20Protocol%20error%0D%0ATimeStamp%3A%20Wed,%2019%20Apr%202017%2006%3A46%3A00%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.1.194%0D%0AServerIP%3A%2091.198.174.192%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%2091.198.174.192%0D%0A%0D%0A%0D%0A>.
>
>
> ------------------------------------------------------------------------
>
> Generated Wed, 19 Apr 2017 06:46:00 GMT by proxy (squid/4.0.17)
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


--

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Unliked SSL cipher

Amos Jeffries
Administrator


On 20/04/17 03:44, [hidden email] wrote:

> Do you recieve the same error while connecting to
> https://www.wikipedia.org?
>
> If you connect to https://91.198.174.192/* directly, your browser
> schould warn you about ssl issue; that is because of:
>
> CN = *.wikipedia.org
>
> SAN=
> *.wikipedia.org
> wikipedia.org
> *.m.wikipedia.org
> *.zero.wikipedia.org
> wikimedia.org
> *.wikimedia.org
> *.m.wikimedia.org
> *.planet.wikimedia.org
> mediawiki.org
>
> This certificate is not allowed to be used with IP address (which is
> common) and that is the issue I suppose. Certificate is V3 sha256,
> which is... perfectly normal.

Huh? With raw-IP there is no SNI, that is all. The TLS is not getting
far enough for the HTTPS message inside the encryption to have any
relevance to the TLS<->Host validation situation.

It is the server cipher being complained about. And with a particular
"unknown" error rather than the more usual "none negotiable" we see a
lot of when configs mis-match.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Unliked SSL cipher

tkalfaoglu
In reply to this post by dijxie
On 04/19/2017 06:44 PM, [hidden email] wrote:
> Do you recieve the same error while connecting to
> https://www.wikipedia.org?
Yes I do.

I also tried to connect to the IP address as well; and that gives me the
same error.
The browser didn't say anything; it was squid that complained.
Regards,
  -turgut


>
> If you connect to https://91.198.174.192/* directly, your browser
> schould warn you about ssl issue; that is because of:
>
> CN = *.wikipedia.org
>
> SAN=
> *.wikipedia.org
> wikipedia.org
> *.m.wikipedia.org
> *.zero.wikipedia.org
> wikimedia.org
> *.wikimedia.org
> *.m.wikimedia.org
> *.planet.wikimedia.org
> mediawiki.org
>
> This certificate is not allowed to be used with IP address (which is
> common) and that is the issue I suppose. Certificate is V3 sha256,
> which is... perfectly normal.
>
> On 2017-04-19 08:49, turgut kalfaoğlu wrote:
>>
>> Hi. Can I ask for assistance solving this problem. Many thanks!
>>
>> Fedora # rpm -qa|grep squid
>> squid-4.0.17-1.fc25.x86_64
>> # uname -a
>> Linux www.kalfaoglu.net 4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13
>> 01:11:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>   ERROR
>>
>>
>>     The requested URL could not be retrieved
>>
>> ------------------------------------------------------------------------
>>
>> The following error was encountered while trying to retrieve the URL:
>> https://91.198.174.192/*
>>
>>     *Failed to establish a secure connection to 91.198.174.192*
>>
>> The system returned:
>>
>>     (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>>
>>     Handshake with SSL server failed: error:140920F8:SSL
>>     routines:ssl3_get_server_hello:unknown cipher returned
>>
>> This proxy and the remote host failed to negotiate a mutually
>> acceptable security settings for handling your request. It is
>> possible that the remote host does not support secure connections, or
>> the proxy is not satisfied with the host security credentials.
>>
>> Your cache administrator is root
>> <mailto:root?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20proxy%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20%2871%29%20Protocol%20error%0D%0ATimeStamp%3A%20Wed,%2019%20Apr%202017%2006%3A46%3A00%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.1.194%0D%0AServerIP%3A%2091.198.174.192%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%2091.198.174.192%0D%0A%0D%0A%0D%0A>.
>>
>>
>> ------------------------------------------------------------------------
>>
>> Generated Wed, 19 Apr 2017 06:46:00 GMT by proxy (squid/4.0.17)
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Unliked SSL cipher

Amos Jeffries
Administrator
On 20/04/17 16:44, turgut kalfaoğlu wrote:
> On 04/19/2017 06:44 PM, dijxie wrote:
>> Do you recieve the same error while connecting to
>> https://www.wikipedia.org?
> Yes I do.
>
> I also tried to connect to the IP address as well; and that gives me
> the same error.
> The browser didn't say anything; it was squid that complained.


I've now looked into the ciphers being advertised.

The server insists on EDCSA with ChaCha-Poly1305 cipher. The OpenSSL
1.0.2 provided by FC25 does not support those. You need to upgrade your
OpenSSL library.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users