Re: [squid-users] Skype SSL is incompatible with OpenSSL

From: Pawel Mojski <pawcio_at_pawcio.net>
Date: Wed, 07 May 2014 11:44:21 +0200

W dniu 2014-05-07 04:52, Jay Jimenez pisze:
> Hi Marcus and Amos,

[...]

> I'm wondering if there's someone who successfully allowed Skype to
> fake CONNECT to squid (I'm referring to interception not explicit
> proxying). I cannot fully implement https interception until I find a
> solution to properly intercept Skype.
>
> Many thanks in advance for all the help.

It is very difficult to implement it on squid, but, theoretically you
may bypass any sslbumping to remote-side which intruduce self with this
certificate chain:
Certificate chain
 0 s:/CN=*.gateway.messenger.live.com
   i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
   i:/CN=Microsoft Internet Authority
 2 s:/CN=Microsoft Internet Authority
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

You can *try* to prepare own external acl helper to check it.
Skype transmission by desing is ssl over 443 tcp port, but if skype
detects that remote server introducing with wrong certificate, then just
drop connection.
We can't even check if transmision is really http over ssl, it might be
anything.

But, the most important question is why you want to do it?
Leaving skype goes through you are opening your local network for really
don't know what. It can be any transmission, file sharing, remote
desktop, you name it. So, all your security mechanisms you can throw
away, useless with open skype.

Regards;
Pawel Mojski
Received on Wed May 07 2014 - 09:44:36 MDT

This archive was generated by hypermail 2.2.0 : Wed May 07 2014 - 12:00:04 MDT