Re: [squid-users] Skype SSL is incompatible with OpenSSL

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Fri, 02 May 2014 16:02:01 -0300

On 05/02/2014 08:21 AM, Jay Jimenez wrote:
> Hi Amos,
>
> Thank you for the response.
>
> Any advice of how would I know exactly what SSL/TLS version skype is
> using and how do I enable those versions to my squid box?

It has been a while since I investigated Skype but my findings at that time
were that Skype does not use SSL.
Instead, it does a CONNECT and wants a tunnel through Squid but the
SSL bumping only works if the web servers talk SSL+HTTP (HTTPS).
In short, SSL bumping does not work for Skype.

Marcus

> What are changes in 3.4.5 in terms of ssl bumping? Would it help me on
> my existing transparent setup to resolve my skype issue?
>
>
> Thanks,
> Jay
>
>
>
>
>
>
> On Fri, May 2, 2014 at 6:57 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 2/05/2014 10:34 p.m., Jay Jimenez wrote:
>>> Hi,
>>>
>>> I have squid setup that is currently doing transparent SSL
>>> interception. Almost all websites work flawlessly like
>>> https://facebook.com, gmail, banking websites etc. However, when
>>> intercepting SKYPE I've got the following error on my cache.log
>>>
>>>
>>> 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL
>>> connection on FD 166: error:1408F10B:SSL
>>> routines:SSL3_GET_RECORD:wrong version number (1/-1)
>>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
>>> connection on FD 155: error:1408F10B:SSL
>>> routines:SSL3_GET_RECORD:wrong version number (1/-1)
>>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
>>> connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>>> version number (1/-1)
>>
>> This means the SSL/TLS version being requested by the client is not
>> supported by your proxy.
>>
>> For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and
>> your proxy or OpenSSL library is configured to disable those insecure
>> versions.
>>
>> NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only
>> supported versions in software as the older protocols are vulnerable to
>> the BEAST and CRIME attacks.
>>
>> FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which
>> also may be involved with this.
>>
>>
>>> 2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL
>>> connection on FD 34: error:1408F10B:SSL
>>>
>>>
>>> My Setup:
>>>
>>> Our firewall only allows ports 80 and 443 and some business ports
>>> that's why Skype will always be redirected by our WCCP router to the
>>> squid box.
>>>
>>> My openssl version is OpenSSL 1.0.1e 11 Feb 2013
>>
>> I hope you have patched that for the Heartbeat vulnerability.
>>
>> NOTE: Squid is not particularly suceptible to Heartbeat due to our
>> memory pooling feature but there is still some leakage and other
>> software on the machine will be vulnerable.
>>
>>>
>>> My squid version is 3.4. I also tried different Squid versions but failed.
>>>
>>
>>
>>
>> Amos
>
>
Received on Fri May 02 2014 - 19:02:07 MDT

This archive was generated by hypermail 2.2.0 : Wed May 07 2014 - 12:00:04 MDT