Re: [squid-users] Skype SSL is incompatible with OpenSSL

From: Jay Jimenez <jay_at_integralvox.com>
Date: Wed, 7 May 2014 10:52:43 +0800

Hi Marcus and Amos,

Thank you for the clarification. In my case that I am using fake
connect (interception proxy), there must be a way on how to exclude
skype on SSL Bumping. I tried to exclude browser ^skype user
agent as discussed with squid wiki and still doesn't work. Also, I
tried to exclude almost all sites on SSL bump and Skype still can't
connect.

As I said earlier my firewall blocks everything except web (80 & 443)
, dns. My firewall is also intercepting 443 and 80 via wccp 70 and
web-cache redirect by Cisco that's why Skype will always be
intercepted by Squid.

I'm wondering if there's someone who successfully allowed Skype to
fake CONNECT to squid (I'm referring to interception not explicit
proxying). I cannot fully implement https interception until I find a
solution to properly intercept Skype.

Many thanks in advance for all the help.

Jay

On Sat, May 3, 2014 at 3:02 AM, Marcus Kool <marcus.kool_at_urlfilterdb.com> wrote:
>
>
> On 05/02/2014 08:21 AM, Jay Jimenez wrote:
>>
>> Hi Amos,
>>
>> Thank you for the response.
>>
>> Any advice of how would I know exactly what SSL/TLS version skype is
>> using and how do I enable those versions to my squid box?
>
>
> It has been a while since I investigated Skype but my findings at that time
> were that Skype does not use SSL.
> Instead, it does a CONNECT and wants a tunnel through Squid but the
> SSL bumping only works if the web servers talk SSL+HTTP (HTTPS).
> In short, SSL bumping does not work for Skype.
>
> Marcus
>
>
>
>> What are changes in 3.4.5 in terms of ssl bumping? Would it help me on
>> my existing transparent setup to resolve my skype issue?
>>
>>
>> Thanks,
>> Jay
>>
>>
>>
>>
>>
>>
>> On Fri, May 2, 2014 at 6:57 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> On 2/05/2014 10:34 p.m., Jay Jimenez wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have squid setup that is currently doing transparent SSL
>>>> interception. Almost all websites work flawlessly like
>>>> https://facebook.com, gmail, banking websites etc. However, when
>>>> intercepting SKYPE I've got the following error on my cache.log
>>>>
>>>>
>>>> 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL
>>>> connection on FD 166: error:1408F10B:SSL
>>>> routines:SSL3_GET_RECORD:wrong version number (1/-1)
>>>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
>>>> connection on FD 155: error:1408F10B:SSL
>>>> routines:SSL3_GET_RECORD:wrong version number (1/-1)
>>>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
>>>> connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>>>> version number (1/-1)
>>>
>>>
>>> This means the SSL/TLS version being requested by the client is not
>>> supported by your proxy.
>>>
>>> For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and
>>> your proxy or OpenSSL library is configured to disable those insecure
>>> versions.
>>>
>>> NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only
>>> supported versions in software as the older protocols are vulnerable to
>>> the BEAST and CRIME attacks.
>>>
>>> FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which
>>> also may be involved with this.
>>>
>>>
>>>> 2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL
>>>> connection on FD 34: error:1408F10B:SSL
>>>>
>>>>
>>>> My Setup:
>>>>
>>>> Our firewall only allows ports 80 and 443 and some business ports
>>>> that's why Skype will always be redirected by our WCCP router to the
>>>> squid box.
>>>>
>>>> My openssl version is OpenSSL 1.0.1e 11 Feb 2013
>>>
>>>
>>> I hope you have patched that for the Heartbeat vulnerability.
>>>
>>> NOTE: Squid is not particularly suceptible to Heartbeat due to our
>>> memory pooling feature but there is still some leakage and other
>>> software on the machine will be vulnerable.
>>>
>>>>
>>>> My squid version is 3.4. I also tried different Squid versions but
>>>> failed.
>>>>
>>>
>>>
>>>
>>> Amos
>>
>>
>>
>
Received on Wed May 07 2014 - 02:52:50 MDT

This archive was generated by hypermail 2.2.0 : Wed May 07 2014 - 12:00:04 MDT