On 05/07/2014 10:55 AM, Pawel Mojski wrote:
> W dniu 2014-05-07 15:40, Marcus Kool pisze:
>
> [...]
>>> certificate chain:
>>> Certificate chain
>>> 0 s:/CN=*.gateway.messenger.live.com
>>> i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
>>> 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
>>> i:/CN=Microsoft Internet Authority
>>> 2 s:/CN=Microsoft Internet Authority
>>> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
>>
>> There is a misunderstanding here.
>> Skype does not use SSL, it only uses port 443 which is commonly used
>> by SSL,
>> but skype knows that there is a proxy and uses the CONNECT method to
>> get a tunnel from Squid.
>> Squid (without SSL-bump) than simply "tunnels" (i.e. passes everything
>> from the client to the server and back).
>> But _with_ ssl-bump Squid assumes that the CONNECT is for a SSL
>> connection and this assumption is wrong.
>
> Sorry, but you are wrong. Skype *IS* using ssl like you can see on
> example above.
> That example was made on openssl -connect
> ip.from.sniffing.my.own.skype:443 and as you can see, it's a proper SSL
> connection.
> But, no one of us have any idea what is the native protocol, all what we
> can figure out it is SSL connection. This is some kind of protocol over SSL.
Skype starts connecting to a node so a Skype node is a critical component.
Lets look at a Skype node at 157.55.235.144 :
openssl s_client -connect 157.55.235.144:443
CONNECTED(00000003)
139691491997512:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
--- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 263 bytes There is no SSL. So at least part of Skype uses port 443 for non-SSL traffic. This observation matches the error messages in the original post: 2014/05/02 18:18:11 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 166: error:1408F10B:SSL so also Squid cannot negotiate an SSL connection because the server uses an other protocol. The design of Squid ssl-bump assumes that a CONNECT to a server always has an SSL-based communication channel and therefore any software that uses non-SSL traffic on port 443 fails to work with ssl-bump. MarcusReceived on Wed May 07 2014 - 21:27:36 MDT
This archive was generated by hypermail 2.2.0 : Thu May 08 2014 - 12:00:04 MDT