Looks like your SSL library does not contain SSLv3 protocol support
already, but site announce it.
27.06.2016 20:42, Renato Jop пишет:
I removed the NO_SSLv2, NO_SSLv3 however, right before the
SSL3_GET_RECORD:wrong version number the SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol is shown.
Renato Jop
On Mon, Jun 27, 2016 at 8:29 AM, Yuri <yvoi...@gmail.com
<mailto:yvoi...@gmail.com>> wrote:
Try to remove NO_SSLv2,NO_SSLv3 from options. SSLv2 already not
supported everywhere, RC4/3DES is SSLv3 ciphers, so it can be
confuse software. I.e., you use custom ciphers/protocols
combinations, which can lead issue.
27.06.2016 20:25, Renato Jop пишет:
Thank you both for your valuable help.
I've configured the tls-dh param with a strong Diffie-Hellman
group (2048 bits) and configured the cipher as Yuri specified and
I was able to get pass the unknown cipher, however now I get a
"SSL routines:SSL3_GET_RECORD:wrong version number". Here's the
configuration I changed:
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
dhparams=/etc/dh-parameters.2048
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
tls-dh=/usr/local/etc/squid/dhparams.pem
Renato Jop
On Sat, Jun 25, 2016 at 11:34 AM, Yuri Voinov <yvoi...@gmail.com
<mailto:yvoi...@gmail.com>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
25.06.2016 <tel:25.06.2016> 23:09, Amos Jeffries пишет:
> On 26/06/2016 4:32 a.m., Yuri Voinov wrote:
>>
>> Amos, you are a wrong.
>>
>> No Squid-4. It's unstable and not ready for production.
Whenever it's
>> features.
>
> So some beta software has bugs therefore nobody should ever
use it for
> anything. I find that to be a strange and sad view of the
world.
>
> Care to guess why I listed it as the last option amongst
several?
> Or why 4.0.11 exists as a beta still?
> It *is* an option for the mentioned problem(s) though
whatever its
utility.
Agreed.
>
>
>
>>
>> Some time ago I have the same issue and know what happens
exactly.
>>
>> Skype initial connection site uses RC4 cipher. Which is
disabled in most
>> squid's configuration.
>
> Your "know what happens exactly" differs from at least two
other peoples
> debugging experiences with Skype.
>
> RC4 is on the hitlist for most of the big vendors for the
past year or
> so. IIRC there were several Windows Updates to remove it
and other
> broken bits from a lot of things over the past year.
> If Skype is still using RC4 it might be part of this problem.
I'm sure this is problem and this problem exists. MS do
nothing to make
they sites/services more secure. BTW, MS Updates uses RC4
ciphers itself
this time. With strong siphers there is no way to setup WU
via Squid.
I've spent much time to identify this problem in my setup and
find
working workaround.
Another part of problem is: MS often uses it's own
self-signed roots,
which is exists in Windows, but nowhere else. And which has not
cross-signed by well-known root CA's. They think it make MS
services
more secure. They wrong. But we can't do anything with it.
So, this is
forced us to add self-signed MS roots to our Squid's CA
bundles to
bump/splice.
>
>
>>
>> To make it works (as by as most M$ update sites) it's
require simple use
>> this cipher's suite:
>>
>>
HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>>
>> That works for me in 5 SSL bumped setups. There is no
matter which squid
>> version installed.
>
> Thank you. Thats another option then. I'd rate that below
trying the EC
> ciphers, and above library updates.
You are welcome.
Just for information: MS has own IT infrastructure, with some
strange
configured and non well-managed elements. I can't guarantee this
workaround will work everywhere or for every MS service.
When I made my research, I've seen some strange security TLS
combinations on MS sites/services. I.e., for example,
RC4+ECDSA+TLSv1.2.
Or, for example, RC4+MD5+TLSv1. And some similar. Very
idiotic and
potentially dangerous combinations. And - they support
ignores all
requests. As usual.
To my regret, I can not order all of its users to abandon the
use of
Windows. So far, in my infrastructure have machines with
Windows XP.
With this nothing can be done, it is necessary only to weaken the
security - for the sake of compatibility.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
<mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXbsC5AAoJENNXIZxhPexGiFoH/jrtimBNppF1uHpVTNwOO10z
yF2APMA56S8woNZzhUNjT8+oJFPrthnMoQFrqgicjS77SBAFp9KcOV+SxOKl9+sW
OdAHDPuCD7dGnKzAdFDR1YR7Vp5IpElP1rFO5rqKXeBc3iKjq65BfF+T6atHy6cS
0VAaluvqvHQps2wVKoYxGURDf3Y2K0lJn+qF+s2CaBwEufhzgKSvG0aUIDqTfHfK
3EMQTpPtlTqm+pcexR+oZM1WE1hlES1khOXs51fgo6puPryqWJiHGvO4EBEfWoXF
Skval2COzcdzMvC5jjfGbMEPNGNJrYUeq/KNgppRvE2wQJ+gCLYG317decKHty0=
=8BTp
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
<mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
