Re: [squid-users] Skype Issues

Mon, 27 Jun 2016 07:30:15 -0700

Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be confuse software. I.e., you use custom ciphers/protocols combinations, which can lead issue. 

27.06.2016 20:25, Renato Jop пишет:

Thank you both for your valuable help.

I've configured the tls-dh param with a strong Diffie-Hellman group 
(2048 bits) and configured the cipher as Yuri specified and I was able 
to get pass the unknown cipher, however now I get a "SSL 
routines:SSL3_GET_RECORD:wrong version number". Here's the 
configuration I changed:
 cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS 
dhparams=/etc/dh-parameters.2048 
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE 
tls-dh=/usr/local/etc/squid/dhparams.pem




Renato Jop


On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov <yvoi...@gmail.com 
<mailto:yvoi...@gmail.com>> wrote:



    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256



    25.06.2016 <tel:25.06.2016> 23:09, Amos Jeffries пишет:
    > On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
    >>
    >> Amos, you are a wrong.
    >>
    >> No Squid-4. It's unstable and not ready for production.
    Whenever it's
    >> features.
    >
    > So some beta software has bugs therefore nobody should ever use
    it for
    > anything. I find that to be a strange and sad view of the world.
    >
    > Care to guess why I listed it as the last option amongst several?
    >  Or why 4.0.11 exists as a beta still?
    > It *is* an option for the mentioned problem(s) though whatever its
    utility.
    Agreed.
    >
    >
    >
    >>
    >> Some time ago I have the same issue and know what happens exactly.
    >>
    >> Skype initial connection site uses RC4 cipher. Which is
    disabled in most
    >> squid's configuration.
    >
    > Your "know what happens exactly" differs from at least two other
    peoples
    > debugging experiences with Skype.
    >
    > RC4 is on the hitlist for most of the big vendors for the past
    year or
    > so. IIRC there were several Windows Updates to remove it and other
    > broken bits from a lot of things over the past year.
    > If Skype is still using RC4 it might be part of this problem.
    I'm sure this is problem and this problem exists. MS do nothing to
    make
    they sites/services more secure. BTW, MS Updates uses RC4 ciphers
    itself
    this time. With strong siphers there is no way to setup WU via Squid.
    I've spent much time to identify this problem in my setup and find
    working workaround.

    Another part of problem is: MS often uses it's own self-signed roots,
    which is exists in Windows, but nowhere else. And which has not
    cross-signed by well-known root CA's. They think it make MS services
    more secure. They wrong. But we can't do anything with it. So, this is
    forced us to add self-signed MS roots to our Squid's CA bundles to
    bump/splice.
    >
    >
    >>
    >> To make it works (as by as most M$ update sites) it's require
    simple use
    >> this cipher's suite:
    >>
    >> HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
    >>
    >> That works for me in 5 SSL bumped setups. There is no matter
    which squid
    >> version installed.
    >
    > Thank you. Thats another option then. I'd rate that below trying
    the EC
    > ciphers, and above library updates.
    You are welcome.

    Just for information: MS has own IT infrastructure, with some strange
    configured and non well-managed elements. I can't guarantee this
    workaround will work everywhere or for every MS service.

    When I made my research, I've seen some strange security TLS
    combinations on MS sites/services. I.e., for example,
    RC4+ECDSA+TLSv1.2.
    Or, for example, RC4+MD5+TLSv1. And some similar. Very idiotic and
    potentially dangerous combinations. And - they support ignores all
    requests. As usual.

    To my regret, I can not order all of its users to abandon the use of
    Windows. So far, in my infrastructure have machines with Windows XP.

    With this nothing can be done, it is necessary only to weaken the
    security - for the sake of compatibility.
    >
    >
    > Amos
    > _______________________________________________
    > squid-users mailing list
    > squid-users@lists.squid-cache.org
    <mailto:squid-users@lists.squid-cache.org>
    > http://lists.squid-cache.org/listinfo/squid-users

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
    yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
    OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
    0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
    3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
    Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
    =8BTp
    -----END PGP SIGNATURE-----


    _______________________________________________
    squid-users mailing list
    squid-users@lists.squid-cache.org
    <mailto:squid-users@lists.squid-cache.org>
    http://lists.squid-cache.org/listinfo/squid-users





_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to