Re: [squid-users] Skype SSL is incompatible with OpenSSL from Amos Jeffries on 2014-05-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 02 May 2014 22:57:05 +1200

On 2/05/2014 10:34 p.m., Jay Jimenez wrote:
> Hi,
>
> I have squid setup that is currently doing transparent SSL
> interception. Almost all websites work flawlessly like
> https://facebook.com, gmail, banking websites etc. However, when
> intercepting SKYPE I've got the following error on my cache.log
>
>
> 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 166: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number (1/-1)
> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 155: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number (1/-1)
> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number (1/-1)

This means the SSL/TLS version being requested by the client is not
supported by your proxy.

For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and
your proxy or OpenSSL library is configured to disable those insecure
versions.

NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only
supported versions in software as the older protocols are vulnerable to
the BEAST and CRIME attacks.

FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which
also may be involved with this.

> 2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 34: error:1408F10B:SSL
>
>
> My Setup:
>
> Our firewall only allows ports 80 and 443 and some business ports
> that's why Skype will always be redirected by our WCCP router to the
> squid box.
>
> My openssl version is OpenSSL 1.0.1e 11 Feb 2013

I hope you have patched that for the Heartbeat vulnerability.

NOTE: Squid is not particularly suceptible to Heartbeat due to our
memory pooling feature but there is still some leakage and other
software on the machine will be vulnerable.

>
> My squid version is 3.4. I also tried different Squid versions but failed.
>

Amos
Received on Fri May 02 2014 - 10:57:23 MDT

This archive was generated by hypermail 2.2.0 : Fri May 02 2014 - 12:00:03 MDT