ERR_SSL_OBSOLETE_CIPHER with Squid RP

cjs1976

Hi,

so far I found the following BAD solution:

1. The configuration of the Squid Reverse Prox is saved under: '/usr/local/etc/squid/squid.conf'.

2. There is a section called '# Reverse Proxy settings'

3. There are a lot of parameters for each entry. For the https stuff there are also the parameters which create the problem: 'cipher=' and 'options='

4. I found this article: http://www.rawiriblundell.com/?p=1442

5. I know, that I should not touch this file manually, but I wanted to see if this is the problem. So I changed the values for 'cipher' and 'options' like described in the article. I restarted the Squid service.

IT WORKS!!!

Can you please try and let me know??? Don't forget to backup the old configuration first!!!

Thanks,
Christian.

Flodu31

Hello,
Thanks for this, it works. I've now an access denied but the error with cipher has disappear.
Thanks again.
Florent

EDIT: I always have the same problem :(
Did you do this: # Disable TLS Compression
export OPENSSL_NO_DEFAULT_ZLIB=1
?
Thanks

cjs1976

Hi,

and no, disabling the TLS Compression seems to be not needed. All well known browsers are now able to cennect to my website.

Of course there is more stuff to do, but first I need to find a clean solution for the cipher and options problem. I was quickly checking the sourcecode of the package, and there is some hardcoded stuff, but I need more time.

I let you know, if I find a solution.

Thanks,
Christian.

Flodu31

Ok perfect, thanks you :)
Florent

cjs1976

# # # # # # # #

Squid: http://www.squid-cache.org

The real name of the squid package for pfSense is pfSense-pkg-squid, and it is part of the FreeBSD-ports.

The sourcecode of FreeBSD-ports can be found under: https://github.com/pfsense/FreeBSD-ports

The sourcecode of pfSense-pkg-squid can be found under: https://github.com/pfsense/FreeBSD-ports/tree/devel/www/pfSense-pkg-squid

The actual version number is: 0.4.23_1

Mozilla Security/Server Side TLS: https://wiki.mozilla.org/Security/Server_Side_TLS

Mozilla Security/TLS Configurations: https://wiki.mozilla.org/Security/TLS_Configurations

Mozilla SSL Configuration Generator: https://mozilla.github.io/server-side-tls/ssl-config-generator

The Chromium Projects - TLS/SSL: https://www.chromium.org/Home/chromium-security/education/tls

SSL Labs - SSL and TLS Deployment Best Practices: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Nartac IIs Crypto: https://www.nartac.com/Products/IISCrypto

SSL Cipher Suite Details of Your Browser: https://cc.dcsec.uni-hannover.de

Google Chrome Version 54:
–-----------------------
ECDHE-ECDSA-AES128-GCM-SHA256128
ECDHE-RSA-AES128-GCM-SHA256128
ECDHE-ECDSA-AES256-GCM-SHA384256
ECDHE-RSA-AES256-GCM-SHA384256
ECDHE-ECDSA-AES128-SHA128
ECDHE-RSA-AES128-SHA128
ECDHE-ECDSA-AES256-SHA256
ECDHE-RSA-AES256-SHA256
RSA-AES128-GCM-SHA256128
RSA-AES256-GCM-SHA384256
RSA-AES128-SHA128
RSA-AES256-SHA256
RSA-3DES-EDE-SHA168
EMPTY-RENEGOTIATION-INFO-SCSV0

Microsoft Edge:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
RSA-AES256-GCM-SHA384
RSA-AES128-GCM-SHA256
DH-RSA-MISTY1-SHA
DH-DSS-MISTY1-SHA
RSA-AES256-SHA
RSA-AES128-SHA
RSA-3DES-EDE-SHA
DHE-DSS-AES256-SHA256
DH-ANON-MISTY1-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-3DES-EDE-SHA
EMPTY-RENEGOTIATION-INFO-SCSV

Mozilla Firefox Version 50:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
RSA-AES128-SHA
RSA-AES256-SHA
RSA-3DES-EDE-SHA
EMPTY-RENEGOTIATION-INFO-SCSV

Qualys SSL Labs - SSL Server Test: https://www.ssllabs.com/ssltest

SSL Shopper - SSL Checker: https://www.sslshopper.com/ssl-checker.html

SSL chain certificate resolver: https://certificatechain.io

Comodo Certification Authority > Root & Intermediate(s): https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/71

DigiCert SSL Utility: https://www.digicert.com/util

# # # # # # # #

The ciphers and options are hardcoded in the file /usr/local/pkg/squid_reverse.inc, so depending on what (Modern or Intermediate) you choose in the GUI under Services -> Squid Reversy Proxy -> General -> Squid Reverse Security Settings -> Compatibility mode, the system will automatically put these vales:

Modern:

$ciphers = "cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
$options = "options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";

Intermediate:

$ciphers = "cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
$options = "options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";

I don't know if this is related to: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

But what I found out is, that this was made for old browsers (e.g. Firefox 27 => actual is 50, Chrome 30 = actual is 54 ...)

# # # # # # # #

To simply change the /usr/local/etc/squid/squid.conf manually will not solve the problem, because with every system update or every config change, we would need to 'repair' our squid.conf.

So I created this quick solution:

1. Add an additional option in the file /usr/local/pkg/squid_reverse_general.xml. The option-list for the field 'Compatibility mode' starts at line 291.

2. Add an additional if-statement for the new option in the file /usr/local/pkg/squid_reverse.inc. The if-block for this starts at line 139.

First I tried the values from this article: http://www.rawiriblundell.com/?p=1442.
Then I tried a lot of others, but in the end I had always 1 problem left: either Chrome was not happy with the cipher, or the SSL test told me 'The server does not support Forward Secrecy with the reference browsers.'
In the end I decided to stay with the SSL test problem.
My actual values are a combination of https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices (2.3 Use Secure Cipher Suites) and http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit (Note: Ciphers are used also depending from your SSL/TLS library. In some cases will be enough to specify:)

"cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
$options = "options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";

# # # # # # # #

Yes, this is not the perfect solution, but it quickly solved my problem. Now the website behind my pfSense works with the actual versions of Firefox, Chrome, Internet Explorer, Edge, Opera and Safari.

# # # # # # # #

The next problem was the broken certificate chain. The SSL Checker from SSL Shopper helped me to fix it.

1. I had to install the 'COMODO RSA Domain Validation Secure Server CA' certificate under System -> Cert. Manager -> CAs

2. And I had to enter also this certifiacte information under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Intermediate CA Certificate (If Needed).

# # # # # # # #

The next problem was, that you can only define one certificate under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Reverse SSL Certificate. But I needed more than one webserver/domain/certifiacte. I could fix this issue with a Multi-Domain certificate (e.g. https://www.namecheap.com/security/ssl-certificates/comodo/positivessl-multi-domain.aspx).

# # # # # # # #

The next problem was the automatic redirect from http to https. I tried to do it directly on the servers/webpages, and it seemed to work, but then I got very strange problems: images broken, css broken, login not possible...

So I removed these settings, and used the Redirects from the Squid Reverse Proxy directly on the pfSense firewall. Don't think it's easy, but with this trick I got it running: https://forum.pfsense.org/index.php?topic=58964.0

# # # # # # # #

Now there is only one problem left: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.

# # # # # # # #

Thanks,
Christian.

19-11-_2016_13-17-05.png_thumb

19-11-_2016_13-27-30.png_thumb

Flodu31

Thank you, it's very helpful.

I have the error Access is denied now, I don't know why. I'll investigate.

Florent

cjs1976

Hi,

I updated my post. Sorry for all the additional info, but maybe it helps for later…

Thanks,
Christian.

Flodu31

Hey,

Perfect, thank you very much for this great post.

I always have the Access Denied message: https://URL

Any idea?
Thanks.
Florent

cjs1976

Hi,

I did again an update. It includes a solution, if you need more than one certificate.

–-----

For your problem:

1. Make sure that the server/website is working whitout pfSense. Why: So you can be sure that the problem comes fromthe pfSense configuration, and not from the system behind. I had this with old Classic ASP websites.

2. If you know that the system behind is running error free, you have to check your pfSense Reverse Proxy configuration. The problem is, that we would need to see your pfSense configuration to see if there is any error. BUT be careful, because you can compromise your system with sharing to much information!!!

Thanks,
Christian.

cjs1976

New Update in my information for HTTP => HTTPS redirect.

Flodu31

@cjs1976:

# # # # # # # #

The next problem was the broken certificate chain. The SSL Checker from SSL Shopper helped me to fix it.

1. I had to install the 'COMODO RSA Domain Validation Secure Server CA' certificate under System -> Cert. Manager -> CAs

2. And I had to enter also this certifiacte information under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Intermediate CA Certificate (If Needed).

# # # # # # # #

Hi Christian,

I followed your steps and now, I've another error. My wildcard certificate is issued by Digicert. So I imported the PEM DigiCert SHA2 Secure Server CA from https://www.digicert.com/digicert-root-certificates.htm in the CA of the pfSense and I paste it in Intermediate CA Certificate but I have this error:

The following error was encountered while trying to retrieve the URL: https://URL

Failed to establish a secure connection to IPAddress

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.

Any idea?
Thanks.
Florent

cjs1976

Hi,

sorry for my late answer. I am in a huge project, and have less time.

So far I have no idea where the problem could come from. Mabe any certificate issue? Wrong format? Missing stuff?

Please try to open a new thread with this new problem. Maybe there is someone who knows…

Thanks,
Christian.

kazimates

If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL

the problem can be solve with a this shape.

OR

With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com