Re: [squid-users] Gateway Proxy failure - but only with one browser ...
On 4/29/20 2:16 PM, Walter H. wrote: > It is very probable that the following has the same reason - but I don't > know what's causing it ... While your symptoms are a bit different, you might be suffering from the problem fixed by https://github.com/squid-cache/squid/pull/588 > Handshake with SSL server failed: error:1407742E:SSL > routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version > I thought that the SSL connection between browser and squid is different > from the one between squid and server; When staring or bumping, it is. However, "different" does not imply "unrelated" (as discussed below). > how can there be a SSL handshake problem between squid and server when > using an old browser? Depending on the conditions, Squid relays parts of the browser handshake when talking to the server. For more (incomplete/stale) details, please see the "Mimicking TLS Client Hello properties when staring" section at https://wiki.squid-cache.org/Features/SslPeekAndSplice IIRC, Squid mimics at least some properties because we wanted Squid to "represent" the client to the server as faithfylly as possible (i.e., minimize Squid-introduced changes to the TLS-negotiated parameters). In retrospect, I am not sure that was the right decision. Perhaps the choice should be the opposite or configurable. Please note that I am not trying to justify Squid actions. I am only explaining why what you observe may be possible. One could argue that Squid should not mimic the TLS client at all (when staring). I do not recall whether anybody has tried to make that argument. HTH, Alex. > On 29.04.2020 19:26, Walter H. wrote: >> I have two squids, >> >> one does SSL bump (3.5latest CentOS 6) >> the other doesn't SSL bump (3.4latest CentOS 6) >> >> everything works, >> >> I have a site that uses SSL/TLS, and two different browsers (one in a >> VM with old windows), >> >> when I use the squid without SSL bump, the site works with both browsers, >> >> but when I use the squid with SSL bump, with the old browser I get a >> "Gateway Proxy failure" >> >> the log shows this: >> >> host - - [29/Apr/2020:19:04:11 +0200] "CONNECT >> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; >> U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" >> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info >> host - - [29/Apr/2020:19:04:11 +0200] "GET >> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" >> "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 >> Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info >> >> in compare to the log when using the other browser ... >> >> host - - [29/Apr/2020:19:05:53 +0200] "CONNECT >> ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT >> 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" >> TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info >> host - - [29/Apr/2020:19:05:53 +0200] "GET >> https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 >> "https://ssl.mathemainzel.info/; "Mozilla/5.0 (Windows NT 10.0; Win64; >> x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT >> SNI:ssl.mathemainzel.info >> >> is this caused by the browser on old OS itself? >> >> squid.conf (of squid with SSL bump) >> >> reply_header_access Public-Key-Pins deny all >> >> reply_header_access Strict-Transport-Security deny all >> reply_header_replace Strict-Transport-Security max-age=0; >> includeSubDomains >> >> acl step1 at_step SslBump1 >> acl step2 at_step SslBump2 >> acl step3 at_step SslBump3 >> acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" >> >> ssl_bump peek step1 >> ssl_bump splice nobumpsites >> ssl_bump stare step2 >> ssl_bump bump all >> >> sslproxy_cafile /etc/squid/ca-bundle.trust.crt >> sslproxy_cipher >> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP >> >> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA >> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE >> >> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db >> -M 16MB >> sslcrtd_children 8 >> >> http_port 3128 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem >> options=NO_SSLv2,NO_SSLv3 >> >> >> Thanks, >> Walter > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Gateway Proxy failure - but only with one browser ...
On 30/04/20 6:16 am, Walter H. wrote: > It is very probable that the following has the same reason - but I don't > know what's causing it ... > > the old browser on old OS gives this > > > While trying to retrieve the URL: https://mein.elba.hypo.at/* > > The following error was encountered: > > * Failed to establish a secure connection to 217.13.188.204 > > The system returned: > > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > > Handshake with SSL server failed: error:1407742E:SSL > routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version > ... > > > the new browser works ... > > I thought that the SSL connection between browser and squid is different > from the one between squid and server; > how can there be a SSL handshake problem between squid and server when > using an old browser? > For transparency and because TLS requirements are embedded in the certificates Squid makes the connection to the server as close as possible to the same properties the client connection uses. The change in browser thus affects both what Squid can pass on to the server, and what can be passed back from the server to the client. ... >> sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA This is a misconfiguration. Please drop the DONT_VERIFY_PEER. If the server is not validating using the CA certs you told Squid were the *only* acceptible CAs: sslproxy_cafile /etc/squid/ca-bundle.trust.crt ... then either the contents of that file are wrong, or the server connection is compromised. Determining the latter is the whole point of TLS. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Gateway Proxy failure - but only with one browser ...
It is very probable that the following has the same reason - but I don't know what's causing it ... the old browser on old OS gives this While trying to retrieve the URL: https://mein.elba.hypo.at/* The following error was encountered: * Failed to establish a secure connection to 217.13.188.204 The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version ... the new browser works ... I thought that the SSL connection between browser and squid is different from the one between squid and server; how can there be a SSL handshake problem between squid and server when using an old browser? On 29.04.2020 19:26, Walter H. wrote: I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3.4latest CentOS 6) everything works, I have a site that uses SSL/TLS, and two different browsers (one in a VM with old windows), when I use the squid without SSL bump, the site works with both browsers, but when I use the squid with SSL bump, with the old browser I get a "Gateway Proxy failure" the log shows this: host - - [29/Apr/2020:19:04:11 +0200] "CONNECT ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info host - - [29/Apr/2020:19:04:11 +0200] "GET https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info in compare to the log when using the other browser ... host - - [29/Apr/2020:19:05:53 +0200] "CONNECT ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info host - - [29/Apr/2020:19:05:53 +0200] "GET https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 "https://ssl.mathemainzel.info/; "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT SNI:ssl.mathemainzel.info is this caused by the browser on old OS itself? squid.conf (of squid with SSL bump) reply_header_access Public-Key-Pins deny all reply_header_access Strict-Transport-Security deny all reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" ssl_bump peek step1 ssl_bump splice nobumpsites ssl_bump stare step2 ssl_bump bump all sslproxy_cafile /etc/squid/ca-bundle.trust.crt sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB sslcrtd_children 8 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem options=NO_SSLv2,NO_SSLv3 Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Gateway Proxy failure - but only with one browser ...
I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3.4latest CentOS 6) everything works, I have a site that uses SSL/TLS, and two different browsers (one in a VM with old windows), when I use the squid without SSL bump, the site works with both browsers, but when I use the squid with SSL bump, with the old browser I get a "Gateway Proxy failure" the log shows this: host - - [29/Apr/2020:19:04:11 +0200] "CONNECT ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info host - - [29/Apr/2020:19:04:11 +0200] "GET https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info in compare to the log when using the other browser ... host - - [29/Apr/2020:19:05:53 +0200] "CONNECT ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info host - - [29/Apr/2020:19:05:53 +0200] "GET https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 "https://ssl.mathemainzel.info/; "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT SNI:ssl.mathemainzel.info is this caused by the browser on old OS itself? squid.conf (of squid with SSL bump) reply_header_access Public-Key-Pins deny all reply_header_access Strict-Transport-Security deny all reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" ssl_bump peek step1 ssl_bump splice nobumpsites ssl_bump stare step2 ssl_bump bump all sslproxy_cafile /etc/squid/ca-bundle.trust.crt sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB sslcrtd_children 8 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem options=NO_SSLv2,NO_SSLv3 Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users