On 05/02/2014 08:21 AM, Jay Jimenez wrote:
Hi Amos,
Thank you for the response.
Any advice of how would I know exactly what SSL/TLS version skype is
using and how do I enable those versions to my squid box?
It has been a while since I investigated Skype but my findings at that time
were that Skype does not use SSL.
Instead, it does a CONNECT and wants a tunnel through Squid but the
SSL bumping only works if the web servers talk SSL+HTTP (HTTPS).
In short, SSL bumping does not work for Skype.
Marcus
What are changes in 3.4.5 in terms of ssl bumping? Would it help me on
my existing transparent setup to resolve my skype issue?
Thanks,
Jay
On Fri, May 2, 2014 at 6:57 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
On 2/05/2014 10:34 p.m., Jay Jimenez wrote:
Hi,
I have squid setup that is currently doing transparent SSL
interception. Almost all websites work flawlessly like
https://facebook.com, gmail, banking websites etc. However, when
intercepting SKYPE I've got the following error on my cache.log
2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 166: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number (1/-1)
2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 155: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number (1/-1)
2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number (1/-1)
This means the SSL/TLS version being requested by the client is not
supported by your proxy.
For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and
your proxy or OpenSSL library is configured to disable those insecure
versions.
NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only
supported versions in software as the older protocols are vulnerable to
the BEAST and CRIME attacks.
FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which
also may be involved with this.
2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 34: error:1408F10B:SSL
My Setup:
Our firewall only allows ports 80 and 443 and some business ports
that's why Skype will always be redirected by our WCCP router to the
squid box.
My openssl version is OpenSSL 1.0.1e 11 Feb 2013
I hope you have patched that for the Heartbeat vulnerability.
NOTE: Squid is not particularly suceptible to Heartbeat due to our
memory pooling feature but there is still some leakage and other
software on the machine will be vulnerable.
My squid version is 3.4. I also tried different Squid versions but failed.
Amos
