subject:"Re\: \[squid\-users\] SSL errors with Squid 3.5.27"

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-08 Thread Amos Jeffries

On 09/06/18 11:15, Julian Perconti wrote:
> Hello community, I am new to the list and, I hope everyone is well.
> 
> I have running a squid server on debian 7.
> 
> My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to
> problems with Dropbox. After compiling squid with LibreSSL, the error
> "unknown cipher returned" has disappeared and dropbox worked correctly.
> 
> Everything works quite well, except that in /var/log/squid/cache.log there
> are 5 types of problems (at least):
> 
> [1] 2018/06/08 17:14:05 kid1| Error negotiating SSL connection on FD 7:
> error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca (1/0)
> [2] 2018/06/08 17:14:39 kid1| Error negotiating SSL on FD 11:
> error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed
> (1/-1/0)
> [3] 2018/06/08 18:35:43 kid1| Error negotiating SSL connection on FD 10:
> (104) Connection reset by peer
> [4] 2018/06/08 18:56:52 kid1| Error negotiating SSL on FD 13:
> error::lib(0):func(0):reason(0) (5/-1/104)
> [5] 2018/06/08 19:20:06 kid1| Error negotiating SSL connection on FD 9:
> error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt (1/-1)

This one may need you to check the ciphers you are allowing. Or be a
sign of a bug in the library.

Trying to connect to the server manually with a CLI tool that can debug
the verify procedure would be the best way forward. You may want to look
at the handshake the client is sending to Squid and Squid to the server
for what to test with.

> 
> However I think (I'm not sure but ...), that the most serious is the number
> [2]:
> SSL negotiating error on FD 11: error: 14007086: SSL routines:
> CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> The problem I have it with WhatsApp from mobile devices ... the application
> tries to connect to the network indefinitely without success, and the error
> that appears (at that moment) is [2]: (...) certificate verify failed
> (1/-1/0)
> 

For 3.5.27 you need to find out what their CA is and decide whether its
worth adding to sslproxy_foreign_intermediate_certs (for intermediates),
OR to sslproxy_cafile or the system root CAs if it's self-signed.

If its an intermediate you might have better behaviour with Squid-4. But
be aware that LibreSSL is not tested by any of us dev, so technically
"not supported" even if it usually works.

> 
> https_port 3130 intercept ssl-bump \
>   cert=/etc/squid/ssl_cert/squidCA.pem \
>   key=/etc/squid/ssl_cert/squidCA.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> tls-dh=/etc/squid/ssl_cert/dhparam.pem

These DH parameters are for old DH not for ECDHE (missing curve name).
So this may be restricting what your Squid can do to match up the client
and server crypto requirements.

> 
> Any kind of suggestion is welcome; both if there is something wrong in the
> configuration written above, or better yet if someone knows the cause and
> solution of this problem.

Most of these are probably just the side effects of an untrusted CA.
This is normal for TLS/SSL.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-09 Thread Julian Perconti

>> https_port 3130 intercept ssl-bump \
>>   cert=/etc/squid/ssl_cert/squidCA.pem \
>>   key=/etc/squid/ssl_cert/squidCA.pem \
>>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
>> tls-dh=/etc/squid/ssl_cert/dhparam.pem
>
>These DH parameters are for old DH not for ECDHE (missing curve name).
>So this may be restricting what your Squid can do to match up the client and 
>server crypto requirements.

Hi Amos,

I have commented the line: "tls-dh=/etc/squid/ssl_cert/dhparam.pem"

And, it seems that many errors (SSL errors) in cache.log have disappeared.
I will confirm later if WhatsApp works from iOS/Android.

Thank You!

PS: I used this option (tls-dh, dhparam, etc..) following the official 
documentation of squid-cache.org for the "hardening" ... or "improve security", 
etc.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-09 Thread Amos Jeffries

On 10/06/18 03:46, Julian Perconti wrote:
>>> https_port 3130 intercept ssl-bump \
>>>   cert=/etc/squid/ssl_cert/squidCA.pem \
>>>   key=/etc/squid/ssl_cert/squidCA.pem \
>>>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
>>> tls-dh=/etc/squid/ssl_cert/dhparam.pem
>>
>> These DH parameters are for old DH not for ECDHE (missing curve name).
>> So this may be restricting what your Squid can do to match up the client and 
>> server crypto requirements.
> 
> Hi Amos,
> 
> I have commented the line: "tls-dh=/etc/squid/ssl_cert/dhparam.pem"
> 
> And, it seems that many errors (SSL errors) in cache.log have disappeared.
> I will confirm later if WhatsApp works from iOS/Android.
> 
> Thank You!
> 
> PS: I used this option (tls-dh, dhparam, etc..) following the official 
> documentation of squid-cache.org for the "hardening" ... or "improve 
> security", etc.

Interesting.

The main issue was that you configured only params for the Diffi-Helman
(DH and DHE) ciphers - no curve name. That meant your specified EEC*
ciphers were disabled since they require a curve name as well.

Removing this option completely disables both DH and ECDH cipher types.
Leaving your proxy with only the RSA based ciphers.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Walter H.


On 10.06.2018 08:49, Amos Jeffries wrote:


Interesting.

The main issue was that you configured only params for the Diffi-Helman
(DH and DHE) ciphers - no curve name. That meant your specified EEC*
ciphers were disabled since they require a curve name as well.

Removing this option completely disables both DH and ECDH cipher types.
Leaving your proxy with only the RSA based ciphers.


can you please tell, how to configure this correct

I mean how to specify the curve name ...
and which curves are possible

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Amos Jeffries

On 10/06/18 20:42, Walter H. wrote:
> On 10.06.2018 08:49, Amos Jeffries wrote:
>>
>> Interesting.
>>
>> The main issue was that you configured only params for the Diffi-Helman
>> (DH and DHE) ciphers - no curve name. That meant your specified EEC*
>> ciphers were disabled since they require a curve name as well.
>>
>> Removing this option completely disables both DH and ECDH cipher types.
>> Leaving your proxy with only the RSA based ciphers.
>>
> can you please tell, how to configure this correct
> 
> I mean how to specify the curve name ...
> and which curves are possible

The documentation covers that.

"
  tls-dh=[curve:]file

  File containing DH parameters for temporary/ephemeral DH key
  exchanges, optionally prefixed by a curve for ephemeral ECDH
  key exchanges.

  See OpenSSL documentation for details on how to create the
  DH parameter file. Supported curves for ECDH can be listed
  using the "openssl ecparam -list_curves" command.

  WARNING: EDH and EECDH ciphers will be silently disabled if
  this option is not set.
"

Curve names depend on library, so you have to check your own library for
them as described above.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-12 Thread Julian Perconti

>Interesting.
>
>The main issue was that you configured only params for the Diffi-Helman (DH 
>and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers were 
>disabled since they require a curve name as >well.
>
>Removing this option completely disables both DH and ECDH cipher types.
>Leaving your proxy with only the RSA based ciphers.
>
>Amos

kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)

Hi Amos,

I still have no look to connect with WhatsApp from iOS.

How do I can track this error?:

kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)

I mean examine the FD, ...or.. what? How? Because from iOS i cant see any 
error, it just tries to connect indefinitely.

Some whatsapp/Facebook server with the command:

Openssl s_client -connect -showcerts x.x.x.x:443 

Does not shows any cert and establishes a connection with TLS 1.2...

Any idea?

Thank You

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-13 Thread L . P . H . van Belle

Hai, 

I would say facebook protected there certificates with TSLA. 
Then you cant use ssl bump if im correct. 

Greetz, 

Louis 

> -Oorspronkelijk bericht-
> Van: squid-users 
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
> Julian Perconti
> Verzonden: dinsdag 12 juni 2018 21:55
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] SSL errors with Squid 3.5.27
> 
> >Interesting.
> >
> >The main issue was that you configured only params for the 
> Diffi-Helman (DH and DHE) ciphers - no >curve name. That 
> meant your specified EEC* ciphers were disabled since they 
> require a curve name as >well.
> >
> >Removing this option completely disables both DH and ECDH 
> cipher types.
> >Leaving your proxy with only the RSA based ciphers.
> >
> >Amos
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> Hi Amos,
> 
> I still have no look to connect with WhatsApp from iOS.
> 
> How do I can track this error?:
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> I mean examine the FD, ...or.. what? How? Because from iOS i 
> cant see any error, it just tries to connect indefinitely.
> 
> Some whatsapp/Facebook server with the command:
> 
> Openssl s_client -connect -showcerts x.x.x.x:443 
> 
> Does not shows any cert and establishes a connection with TLS 1.2...
> 
> Any idea?
> 
> Thank You
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-13 Thread Amos Jeffries

On 13/06/18 07:54, Julian Perconti wrote:
>> Interesting.
>>
>> The main issue was that you configured only params for the Diffi-Helman (DH 
>> and DHE) ciphers - no >curve name. That meant your specified EEC* ciphers 
>> were disabled since they require a curve name as >well.
>>
>> Removing this option completely disables both DH and ECDH cipher types.
>> Leaving your proxy with only the RSA based ciphers.
>>
>> Amos
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> Hi Amos,
> 
> I still have no look to connect with WhatsApp from iOS.
> 
> How do I can track this error?:
> 
> kid1| Error negotiating SSL on FD 60: error:14007086:SSL 
> routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
> 
> I mean examine the FD, ...or.. what? How? Because from iOS i cant see any 
> error, it just tries to connect indefinitely.

Yes. With "debug_options ALL,9" and a "grep --context=10 'FD nn'" f the
resulting cache.log for whatever the FD number is in the test after you
update the logging content. Some of those lines should show what is
happening on that FD, maybe some clues in there.


> 
> Some whatsapp/Facebook server with the command:
> 
> Openssl s_client -connect -showcerts x.x.x.x:443 
> 
> Does not shows any cert and establishes a connection with TLS 1.2...
> 
> Any idea?

Probably something you are not noticing, or think is irrelevant but
actually is.

Since you are hiding the details of what is going on we cannot replicate
and see for ourselves if there is any hint in those hidden results which
anyone with more knowledge might find.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-14 Thread Amos Jeffries

On 14/06/18 09:20, Julian Perconti wrote:
> 
> #
> Here a example:
> #
> 
> openssl s_client -connect 31.13.94.54:443
> CONNECTED(0003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 290 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1.2
> Cipher: 
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg   : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1528924452
> Timeout   : 300 (sec)
> Verify return code: 0 (ok)
> 

The above says:
 * do not encrypt this content
 * disable all security checks
 * disable all ability to becomes secure later
 * send everything in plain-text format.

This is the "NULL" cipher () which is forbidden in your
sslproxy_cipher config by "!aNULL:!eNULL:!LOW".

The existence of this cipher is one reason why a) TLS does not
necessarily make things secure, and b) making the proxy always "just
work" is not necessarily a good idea.

... so you now have the choice:

 Do you *actually* want security?
if so let the proxy block the traffic.

OR,

 Do you want users to have same experience as no-proxy gives?
   if so remove the cipher etc restrictions you have improving security
at the proxy.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-14 Thread Matus UHLAR - fantomas


On 13.06.18 18:20, Julian Perconti wrote:

Does not shows any cert and establishes a connection with TLS 1.2...



openssl s_client -connect 31.13.94.54:443
CONNECTED(0003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 290 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1.2
   Cipher: 
   Session-ID:
   Session-ID-ctx:
   Master-Key:
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1528924452
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)


have you tried -servername option for setting SNI extension?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Julian Perconti

> have you tried -servername option for setting SNI extension?

How can i do this?



Well, debbuging cache.log i found this:

2018/06/18 08:22:08.822 kid1| 83,5| support.cc(300) ssl_verify_cb: Self signed 
certificate in certificate chain: /CN=courier.push.apple.com/O=Apple 
Inc./ST=California/C=US
2018/06/18 08:22:08.822 kid1| 83,7| bio.cc(168) stateChanged: FD 16 now: 0x4008 
3RSC_B (SSLv3 read server certificate B)
2018/06/18 08:22:08.822 kid1| 83,7| bio.cc(168) stateChanged: FD 16 now: 0x1002 
3RSC_B (SSLv3 read server certificate B)
2018/06/18 08:22:08.823 kid1| Error negotiating SSL on FD 16: 
error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
2018/06/18 08:22:08.825 kid1| 4,3| errorpage.cc(1100) Convert: errorConvert: 
%%D --> 'Self-signed SSL Certificate in chain: /C=US/O=Apple Inc./OU=Apple 
Certification Authority/CN=Apple Root CA'
2018/06/18 08:22:08.830 kid1| 33,5| client_side.cc(4185) getSslContextStart: 
Generating SSL certificate for courier.push.apple.com using ssl_crtd.
2018/06/18 08:22:08.831 kid1| 33,5| client_side.cc(4189) getSslContextStart: 
SSL crtd request: new_certificate 3294 host=courier.push.apple.com
-BEGIN CERTIFICATE-
-END CERTIFICATE-
2018/06/18 08:22:08.831 kid1| 84,9| helper.cc(386) helperSubmit:  
buf[3316]=new_certificate] 3294 host=courier.push.apple.com
-BEGIN CERTIFICATE-
-END CERTIFICATE-
2018/06/18 08:22:08.835 kid1| 84,9| helper.cc(875) helperHandleRead:  
accumulated[3002]=OK] 2993 -BEGIN CERTIFICATE-
-END CERTIFICATE-

On Android devices WhatsApp Works fine, slow but it woks.

I think that the main problem resides in this line:

ssl_verify_cb: Self signed certificate in certificate chain:

courier.push.apple.com is entrust L1K chain...( if I´m not wrong)

Any idea?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Matus UHLAR - fantomas


have you tried -servername option for setting SNI extension?


On 18.06.18 08:31, Julian Perconti wrote:

How can i do this?


man s_client:\

   -servername name
   Set the TLS SNI (Server Name Indication) extension in the
   ClientHello message.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines. 
___

squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-18 Thread Julian Perconti

Googling i foind this cfg lines:

acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

sslproxy_cert_error allow SSLERR

sslproxy_cert_error deny all

The error " certificate verify failed has deissappeared, I refer  to this error:

routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0)
2018/06/18 08:22:08.825 kid1| 4,3| errorpage.cc(1100) Convert: errorConvert: 
%%D --> 'Self-signed SSL Certificate in chain: /C=US/O=Apple Inc./OU=Apple 
Certification Authority/CN=Apple Root CA'

But... WhatsApp on iOS devices still not working. 
So that was not the root cause of the problem.

On Android WhatsApp Works fine.

Any other idea?

Thank You.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-28 Thread Julian Perconti

Hi all:

Finally I migrate everything to debian 9 with openssl 1.1 and squid 4 (june 
22/18) reléase (the last one).

Everything seems to go very well.

However, the dropbox client logs this error in cache.log:

kid1| ERROR: negotiating TLS on FD 35: error:141710F8:SSL 
routines:tls_process_server_hello:unknown cipher returned (1/-1/0)

squid version:

Squid Cache: Version 4.0.25-20180621-r887c98a
Service Name: squid

This binary uses OpenSSL 1.1.0f  25 May 2017. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--build=x86_64-linux-gnu' 
'--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' 
'--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' 
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' 
'--with-openssl' '--enable-ssl-crtd' '--mandir=/share/man' 
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-icap' '--enable-cache-digests' 
'build_alias=x86_64-linux-gnu' --enable-ltdl-convenience

openssl version and ciphers:

OpenSSL 1.1.0f  25 May 2017

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

squid.conf ciphers:

tls_outgoing_options 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

I still have not tried what happen with whatsapp from iOS (original problem)

Any ideas? Fix?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27 [SOLVED]

2018-07-02 Thread Julian Perconti

Hi all,

Problem solved.

With squid 4 openssl 1.1

I realized that WhatsApp use the following ports:

5223, 5228, 4244, 5242, and 5222 in addition to 443, 80.

So I opened that ports on the firewall and everythhing worked.

Also I changed the cipher suite in squid.conf like this: (for the dropbox 
client problem)

tls_outgoing_options 
cipher=ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

software info:

Squid Cache: Version 4.0.25
Service Name: squid

This binary uses OpenSSL 1.1.0f  25 May 2017. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--build=x86_64-linux-gnu' 
'--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' 
'--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' 
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' 
'--with-openssl' '--enable-ssl-crtd' '--mandir=/share/man' 
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-icap' '--enable-cache-digests' 
'build_alias=x86_64-linux-gnu' --enable-ltdl-convenience

# openssl version
OpenSSL 1.1.0f  25 May 2017

Thanks everybody.

PS: I think the same would work with squid 3.5.27 on debian 7, because it was a 
firewall problem.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27

Re: [squid-users] SSL errors with Squid 3.5.27 [SOLVED]

15 matches

Site Navigation

Mail list logo

Footer information