Hi Amos,
Thank you for the response.
Any advice of how would I know exactly what SSL/TLS version skype is
using and how do I enable those versions to my squid box?
What are changes in 3.4.5 in terms of ssl bumping? Would it help me on
my existing transparent setup to resolve my skype issue?
Thanks,
Jay
On Fri, May 2, 2014 at 6:57 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 2/05/2014 10:34 p.m., Jay Jimenez wrote:
>> Hi,
>>
>> I have squid setup that is currently doing transparent SSL
>> interception. Almost all websites work flawlessly like
>> https://facebook.com, gmail, banking websites etc. However, when
>> intercepting SKYPE I've got the following error on my cache.log
>>
>>
>> 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 166: error:1408F10B:SSL
>> routines:SSL3_GET_RECORD:wrong version number (1/-1)
>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 155: error:1408F10B:SSL
>> routines:SSL3_GET_RECORD:wrong version number (1/-1)
>> 2014/05/02 18:18:16 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 26: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>> version number (1/-1)
>
> This means the SSL/TLS version being requested by the client is not
> supported by your proxy.
>
> For example; if Skype requires one of SSL/1.0, SSL/2.0 or SSL/3.0 and
> your proxy or OpenSSL library is configured to disable those insecure
> versions.
>
> NP: It is becomming common for TLS/1.1 or TLS/1.2 to be the only
> supported versions in software as the older protocols are vulnerable to
> the BEAST and CRIME attacks.
>
> FYI: 3.4.5 comes out in a few hours. It has an update to CONNECT which
> also may be involved with this.
>
>
>> 2014/05/02 18:18:21 kid1| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 34: error:1408F10B:SSL
>>
>>
>> My Setup:
>>
>> Our firewall only allows ports 80 and 443 and some business ports
>> that's why Skype will always be redirected by our WCCP router to the
>> squid box.
>>
>> My openssl version is OpenSSL 1.0.1e 11 Feb 2013
>
> I hope you have patched that for the Heartbeat vulnerability.
>
> NOTE: Squid is not particularly suceptible to Heartbeat due to our
> memory pooling feature but there is still some leakage and other
> software on the machine will be vulnerable.
>
>>
>> My squid version is 3.4. I also tried different Squid versions but failed.
>>
>
>
>
> Amos
Received on Fri May 02 2014 - 11:21:55 MDT
This archive was generated by hypermail 2.2.0 : Sat May 03 2014 - 12:00:04 MDT