Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Eugene M. Zheganin wrote: On 18.10.2014 16:11, Victor Sudakov wrote: I thought as much. This error seems suspicious. But why does a second request not cause the same error? No idea. Hopefully I can interest our Windows admin to enable Kerberos event logging per KB262177. But for the present I have found an ugly workaround. In squid's keytab, I created another principal called 'squiduser' with the same hex key and kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.' Of course this required running the squid authentication helper with the '-s GSS_C_NO_NAME' option. And you know what? It works. Browsers are being authenticated all right. This means that the encrypted token is all right, and the problem was only in the principal name (it being different in the request and the received ticket). This is quite mysterious to me. Also, Heimdal error messages definitely suck. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] windowsupdate and ssl_bump
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/10/2014 8:56 p.m., Josep Borrell wrote: Hi, We are using a 3.4.8 squid Proxy in intercept mode via wccp. Squid intercepts HTTP and HTTPS via ssl_bump. All is working fine except that Windows Machines can't do a Windows Update. It is not working at all giving an error 80072F8F with HTTPS redirection disabled all work fine. Someone knows how to maintain the SSL interception with a functional Windows Update ? Windows Update has always done a call home CONNECT rquest to port 443 to verify the licensing or something. It may or may not actually be HTTPS. I would look into what is happening with those requests with your bumping setup. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJURB+6AAoJELJo5wb/XPRjGzQH/jOWkNZMTRIL0X87hmPLYjEd L1qoE4F+/Phh+d3aMl9EJxhdWQ6BuYOdNGTrL1Jpq4/37xFxUj3vCuZ638iY6Mad ETQYTwb1oiX5vzJs0P/VaswJeQ36pR5yAMP0RmS3Y2uBTxeD9kSjQLwiwezt0BKI obUqwJHcGS+K8CXsLfJle4ivIDkOy+BNFt/ujOYjjQ8UaY1Sg2GLZU2rtCFOoqav 05p62E4/jVkrBUP7o4AXFJADXHjaH/73FB/XY517vWp8R181xz6eWYcbkF8zdhzA TixCnmt83mJEH5AdkNpl4IRRzaIPP4KsBTUUE4LN9cHH/ZS9ZQHPc2bKVVjr/aU= =g5io -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Negotiate bug in squidclient ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That is a bug. Please add to bugzilla. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJURCItAAoJELJo5wb/XPRjtgkIAKyGuSZQnpfofxeH5VggQ/sJ 2coDiglI/rVFjO4UAaCIu3e8Vhzst7cDmWaCbY9Gre6pemlliHuX2+64TmlzPcNv 3vRxx3zqUe19wwZ7shlsJXKRERJyQchM17olDAeD3bifz9QdG2Ha8pQOVLtZ2/pd Pxzm2b4Au3HQ5uWKIB/otnjBD9ljLyrA4L1/OUqcUn65jsk/gv2xBQKHUUN9sUt4 PFW8tPxe136efDWzDBAshaBGyZhow0p8ba4KtTzolcLV1San0eOjKZ2H4Y4VnuRV roFO0q3yuSpE598kDy7LZRKPImxiHApe6CIjXq3QLfIZRHejBVBTTdw0I1YiT1E= =J73y -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Question squid on centos 6.5 and poodle
Hi Thanks for clearing that up. so when i do a openssl ciphers and select the ciphers i want including the PFS enables oned, i take the list and try and use it in ciphers= and the list seems to be dissregarded and only 1 cipher is available. atleast from online checking and with nmap. I have nossl2 and nossl3, that covers me for most things apart from PFS. I am not ready to upgrade to a non RHEL/CEntos version as that has other implications ! But in the end if I must I am wondering if thats a known bug or I am configuring it wrongly this is the cipher list I have tried as well openssl ciphers 'ALL:!SSLv2:!SSLv3:@STRENGTH' ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 ldd points to /usr/lib64/libssl.so.10 and openssl-1.0.1e-30.el6_5.2.x86_64 Alex On 17 October 2014 18:20, Amos Jeffries squ...@treenet.co.nz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/10/2014 7:24 p.m., Alexander Samad wrote: Hi I am trying to reconfig the ssl setup on a reverse proxy set https_port 2.7.3.1:443 accel cert=/etc/httpd/conf.d/office.xyz.com.crt key=/etc/httpd/conf.d/office.xyz.com.key dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 cipher=ALL:!SSLv2:!SSLv3@STRENGTH But I only get a limited list of ciphers, completely different from openssl ciphers 'ALL:!SSLv2:!SSLv3@STRENGTH' in fact it doesn't seem to look at the cipher option at all There seems to be some FUD and confusion going around since POODLE was announced. In particular people mentioning a cipher called SSLv3. The cipher having problems is CBC. The SSLv3 is simply the SSL/TLS version where that cipher is mandatory to support. Lets be clear: cipher != SSL/TLS version The cipher being unusable now *also* makes the whole version unusable and dangerous. Just like SSLv2 some years ago when the last of its ciphers was broken, and TLSv1.0 will someday soon. The options=NO_SSLv2,NO_SSLv3 that you have set is sufficient to close POODLE vulnerability. NP: Do make sure you have a Squid 3.2 or later, the older ones enabled some default options that are pretty bad these days. and pointers on what I am doing wrong right now I am left with https_port 2.7.3.1:443 accel cert=/etc/httpd/conf.d/office.xyz.com.crt key=/etc/httpd/conf.d/office.xyz.com.key dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 but https://www.ssllabs.com/ssltest/ gives me an A- .. no PFS. That I'm afraid depends on your OpenSSL library. Some of them have PFS ciphers enabled by default, some you have to add options or ciphers to get it, some dont support at all. You do need dhparams= to enable them. But beyond that its all OpenSSL. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUQMNFAAoJELJo5wb/XPRj5QgH/2MHtjt/ZET3RjiwKfb2RL9x MIrL/vNxxDjzJn0fnrk5iXCOd5Z7rWKjD/SO4BndqnADJh2d6pQSCe2LDYyn4/ZQ D+giIfRJyYJdPAVpR50PsY/zNqSLWCW8g3/PDCxseRKNayyoOiOaUvU7fBkM4xZD bdTz5YoHeGXzzeRItLcaWsFN8JZWb9yI34AHJ7AzpugMz68uV/pW9UHciWrpOuj1 hvnO3v/oE7Bu+KcTO5d36Fjmyrk00a60YcEMglZSkc7V80pigNsXA0TdKP0z8lE7 M+2kACtIIuXrzszGyTOMIWRQsxuqYxozVVa3+pwyIUn0QQpqQMJtRN7gPqvkxnM= =axnA -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Hi. On 19.10.2014 13:32, Victor Sudakov wrote: Hopefully I can interest our Windows admin to enable Kerberos event logging per KB262177. But for the present I have found an ugly workaround. In squid's keytab, I created another principal called 'squiduser' with the same hex key and kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.' (This may sound like a dumb question, but anyway) Did you initially map any AD user to the SPN with a hostname that clients know your proxy under ? Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)
Hi Amos Do you have new findings? Should I open a bug for better tracking? Kind regards, Tom On Mon, Oct 13, 2014 at 8:16 AM, Amos Jeffries squ...@treenet.co.nz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/10/2014 6:26 p.m., Tom Tom wrote: Hi Does anyone have some ideas/hints concerning this problem? I am looking into it and fairly sure its a bug in how the ACL result is returning 1 == ALLOWED. But that was done to solve another bug in auth ACLs re-authenticating credentials from outside the encryption, using the encrypted channel. Am still trying to figure out what the appropriate fix might look like. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUO25CAAoJELJo5wb/XPRjjH0IAM2OK8MGRgkaxqBpXo+wKXiQ szuQfM3xSSUqXx6uFmD1IPssGRSy3ZxA5UBu5nVZB6X++nVGEkMwgjwo/dkymaw/ 9egyKHGBBbVE1HjVi8/zktN01x1Tdrqo3fw6VpkzqQfsJAp5zt+/H4PjZvoRW11F NrCAIFlAx5eymYPZVunVOgejBb3G0zINn76MY5SnIRFUOtJurooTKcQx8fPppo4r yWYNLSrCxAq6ZKEqyHV0koiNp0ezjblwu53M8aZX1oXXdHjdcHwMKBBJ+x7CXhyj /rHYScUsn1B16SsQ4azA3mnlmP7AZgxjiv0MRiGfsrB9sWLQFydzneQppPfvxVo= =/B6U -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users