Re: [squid-users] SSLBump SSL error (FAO Henrik) from Alex Crow on 2012-02-14 (squid-users)

From: Alex Crow <alex_at_nanogherkin.com>
Date: Tue, 14 Feb 2012 12:20:01 +0000

Henrik,

Strangely s_client without any additional parameters seems to work:

OpenSSL> s_client -connect applyonline.abbeynational.co.uk:443
CONNECTED(00000003)
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

---
Certificate chain
  0 s:/C=GB/ST=Buckinghamshire/L=Milton Keynes/O=GRUPO SANTANDER/OU=IT 
Security Operations/CN=applyonline.abbeynational.co.uk
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use 
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International 
Server CA - G3
  1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use 
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International 
Server CA - G3
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public 
Primary Certification Authority - G5
  2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public 
Primary Certification Authority - G5
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification 
Authority
  3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification 
Authority
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification 
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFoDCCBIigAwIBAgIQTjHebyXhySJF0PmYv7PGHTANBgkqhkiG9w0BAQUFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
DTExMDIxODAwMDAwMFoXDTEyMDIyNTIzNTk1OVowgaQxCzAJBgNVBAYTAkdCMRgw
FgYDVQQIEw9CdWNraW5naGFtc2hpcmUxFjAUBgNVBAcUDU1pbHRvbiBLZXluZXMx
GDAWBgNVBAoUD0dSVVBPIFNBTlRBTkRFUjEfMB0GA1UECxQWSVQgU2VjdXJpdHkg
T3BlcmF0aW9uczEoMCYGA1UEAxQfYXBwbHlvbmxpbmUuYWJiZXluYXRpb25hbC5j
by51azCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAaUp4WbQ0wQ2w0vAV
rSCIeH7e+C3TN9Fx2BLlndEYvDRYWyt44hSkYidrkppqiGMC9WCfRFd7HVqlKxey
6yZzNIV4vEHnvs62NPQcN9Fq3+FVONd6eBl83nY7GG2OUpYQoDkiVYu9XbdHy75Z
C5YAvnJqE+b1eHCeIu06kGdE0fK9j+FUsbyeS/MaP77M/ymPsKhr9N4LWlQdtlnn
g0/U32jq8IwZ73XcLLTtRe7ScpkOkgYyhwFrfSdaCM/kygrfJahUzur1rq438J8b
FwakDBH/p4opnCCCP3UCjSw7drtIlKi7Z3lQ+xkYmSICKiPhLtchsyWFRBrVe36r
72po1QIDAQABo4IBszCCAa8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQQYDVR0f
BDowODA2oDSgMoYwaHR0cDovL1NWUkludGwtRzMtY3JsLnZlcmlzaWduLmNvbS9T
VlJJbnRsRzMuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAoBgNVHSUEITAfBglg
hkgBhvhCBAEGCCsGAQUFBwMBBggrBgEFBQcDAjByBggrBgEFBQcBAQRmMGQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYw
aHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2Vy
MG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4D
AhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWdu
LmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAVTT7cczhZ0mVVRHn
4pLe4780UCOIlXDyABI23B1XdZBm6fUcVB+JKPKpD6J31iSXnWuHdb6sjMLfzq45
1XFZ/v6wB2cvK2KMeAvedDp+1/R2HoCjrPPOFS42HEFks7kQ2/xaV2gHYOVnoG/V
RwvT94vtI1xUZAs87QxLUtvGcedcQnHyCmt3Wp5xTll7/czrYSLZFuELfPeckQ4v
ZI0XuWn1uwVURn7pfpK62044Zg6Zwz9gsicHbHavgUZds+dKSLKPPzV4ElJT9kzJ
E1lWAUgpMppmYJdJxJUJ5nOAi5P355Mp/TAsj2BU/QSzxodwvE0vW7+TBb5b9nrj
gZCdzQ==
-----END CERTIFICATE-----
subject=/C=GB/ST=Buckinghamshire/L=Milton Keynes/O=GRUPO SANTANDER/OU=IT 
Security Operations/CN=applyonline.abbeynational.co.uk
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use 
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International 
Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4982 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2047 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : RC4-MD5
     Session-ID: 
000177046B41D09E52DF67FAA4754DF1EB8B407B585858584F3A4D790000004B
     Session-ID-ctx:
     Master-Key: 
0F3544CC04C7858B318C0C80BA75EFE6DFF8DE5D20704FFB0E6F4C1A73FC748B15AD3FF40B3AD67578E722E824FFC0FE
     Key-Arg   : None
     Start Time: 1329220786
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
---
Unless that verify return code is a problem?
I really don't know where to go from here...
Thanks
Alex
On 12/02/12 11:57, Henrik Nordström wrote:
> lör 2012-02-11 klockan 10:34 +0000 skrev Alex Crow:
>
>> Henrik,
>>
>> I have tried adding the line "sslproxy_cipher ALL:!COMPLEMENTOFDEFAULT"
>> instead of specifying it in the http_port line.
>>
>> It's still failing negotiation on the abbeynational request.
>>
>> Any help would be much appreciated.
> Try playing with openssl s_client until you find settings that the
> server accepts.
>
> That's how I found the cipher setting that works for me.
>
> Then use this in sslproxy_cipher directive in Squid to tell Squid what
> it should use.
>
> Note: http_port is the wrong place. This controls the ciphers used
> towards clients only.
>
> Regards
> Henrik
>

Received on Tue Feb 14 2012 - 12:20:06 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 19 2012 - 12:00:04 MST