OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: kyferez on November 06, 2018, 01:19:48 am

Title: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: kyferez on November 06, 2018, 01:19:48 am
Here's the error I am getting on certain sites like Youtube:

Code: [Select]
The following error was encountered while trying to retrieve the URL: https://www.youtube.com/*

Failed to establish a secure connection to 64.233.185.93

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=us/L=Nowhere/O=TG/CN=TG Proxy CA/emailAddress=##@##.com

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

I have attempted to add the site to the SSL no bump sites as well as setting the site in the Whitelist to no avail. Google search has stated the fix to this is upgrading Squid: https://serverfault.com/questions/867380/squid-configured-for-ssl-chokes-on-some-sites

Any recommendations?
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: fabian on November 06, 2018, 06:44:33 am
This error means that OpenSSL/LibreSSL cannot find the local CA certificate. This is because your connection is intercepted by another proxy and the behaviour is perfectly fine (it seems to prevent a men in the middle attack to your connection).

You should find out who is messing with your connection.
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: kyferez on November 06, 2018, 06:18:08 pm
I have a 2nd outbound proxy that all web browsing traffic passes through, but it isn't set to do SSL scanning so shouldn't be messing with the SSL connection - and again this works with most sites.

I tried bypassing the 2nd outbound proxy and get a similar but different result, again, only on specific sites like youtube:

Code: [Select]
The following error was encountered while trying to retrieve the URL: https://172.217.3.238/*

Failed to establish a secure connection to 172.217.3.238

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: fabian on November 06, 2018, 08:08:17 pm
can you try to open such a site using curl from the command line?

for example if example.com is broken, execute the following over SSH and then post the result:

curl https://example.com/ -vkI
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: kyferez on November 07, 2018, 01:01:24 am
I assume you meant from OPNsense? If so, here's the result. So on a whim I also tried IE and FireFox; seems to only be Chrome which has this issue.

Code: [Select]
root@OPNsense:~ # curl https://www.youtube.com/ -vkI
*   Trying 172.217.164.46...
* TCP_NODELAY set
* Connected to www.youtube.com (172.217.164.46) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Oct 23 16:54:00 2018 GMT
*  expire date: Jan 15 16:54:00 2019 GMT
*  issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6499fa8d000)
> HEAD / HTTP/2
> Host: www.youtube.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< expires: Tue, 27 Apr 1971 19:44:06 EST
expires: Tue, 27 Apr 1971 19:44:06 EST
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< x-content-type-options: nosniff
x-content-type-options: nosniff
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000
< p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
< cache-control: no-cache
cache-control: no-cache
< x-xss-protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
x-xss-protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
< date: Tue, 06 Nov 2018 23:48:22 GMT
date: Tue, 06 Nov 2018 23:48:22 GMT
< server: YouTube Frontend Proxy
server: YouTube Frontend Proxy
< set-cookie: VISITOR_INFO1_LIVE=gjFq7WYssGA; path=/; domain=.youtube.com; expires=Sun, 05-May-2019 23:48:21 GMT; httponly
set-cookie: VISITOR_INFO1_LIVE=gjFq7WYssGA; path=/; domain=.youtube.com; expires=Sun, 05-May-2019 23:48:21 GMT; httponly
< set-cookie: YSC=zLHS8Ul1c_4; path=/; domain=.youtube.com; httponly
set-cookie: YSC=zLHS8Ul1c_4; path=/; domain=.youtube.com; httponly
< set-cookie: GPS=1; path=/; domain=.youtube.com; expires=Wed, 07-Nov-2018 00:18:21 GMT
set-cookie: GPS=1; path=/; domain=.youtube.com; expires=Wed, 07-Nov-2018 00:18:21 GMT
< alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
< accept-ranges: none
accept-ranges: none
< vary: Accept-Encoding
vary: Accept-Encoding

<
* Connection #0 to host www.youtube.com left intact
root@OPNsense:~ #
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: fabian on November 07, 2018, 06:39:12 am
From that output your TLS connection works flawlessly. If this is a chrome issue, it may have pinned the CA or certificate.
However the headers you get as a result will not pin. Maybe there is something hardcoded in the browser.
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: kyferez on November 16, 2018, 09:16:19 pm
Ok, another SSL issue with Squid. This one looks like Squid doesn't like something about the Server Hello. Not browser specific. The site is prosper.com

It seems obvious that it's an unknown cipher, but here we see the client hello having the same cipher, ID 0xcca8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

See attachment.

Message is below
Code: [Select]
The following error was encountered while trying to retrieve the URL: https://104.16.112.58/*

Failed to establish a secure connection to 104.16.112.58

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned
Title: Re: Squid Error on some SSL Sites, possibly need Squid upgraded to fix
Post by: fabian on November 16, 2018, 10:39:08 pm
the TLS connection works directly in Firefox so in general the site is working. They are having an EV certificate with an intermediate but that should not cause any issues. Have you tried switching between LibreSSL / OpenSSL (or at least try the other one in a VM)?

The FIN is sent because OpenSSL or LibreSSL has probably an issue with the server hello and it may trigger a bug in the crypto library.
BTW: The error message for failing at the cipher decision would be different.