ERR_SSL_OBSOLETE_CIPHER with Squid RP
-
Hi,
and no, disabling the TLS Compression seems to be not needed. All well known browsers are now able to cennect to my website.
Of course there is more stuff to do, but first I need to find a clean solution for the cipher and options problem. I was quickly checking the sourcecode of the package, and there is some hardcoded stuff, but I need more time.
I let you know, if I find a solution.
Thanks,
Christian. -
Ok perfect, thanks you :)
Florent -
# # # # # # # #
Squid: http://www.squid-cache.org
The real name of the squid package for pfSense is pfSense-pkg-squid, and it is part of the FreeBSD-ports.
The sourcecode of FreeBSD-ports can be found under: https://github.com/pfsense/FreeBSD-ports
The sourcecode of pfSense-pkg-squid can be found under: https://github.com/pfsense/FreeBSD-ports/tree/devel/www/pfSense-pkg-squid
The actual version number is: 0.4.23_1
Mozilla Security/Server Side TLS: https://wiki.mozilla.org/Security/Server_Side_TLS
Mozilla Security/TLS Configurations: https://wiki.mozilla.org/Security/TLS_Configurations
Mozilla SSL Configuration Generator: https://mozilla.github.io/server-side-tls/ssl-config-generator
The Chromium Projects - TLS/SSL: https://www.chromium.org/Home/chromium-security/education/tls
SSL Labs - SSL and TLS Deployment Best Practices: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Nartac IIs Crypto: https://www.nartac.com/Products/IISCrypto
SSL Cipher Suite Details of Your Browser: https://cc.dcsec.uni-hannover.de
Google Chrome Version 54:
–-----------------------
ECDHE-ECDSA-AES128-GCM-SHA256128
ECDHE-RSA-AES128-GCM-SHA256128
ECDHE-ECDSA-AES256-GCM-SHA384256
ECDHE-RSA-AES256-GCM-SHA384256
ECDHE-ECDSA-AES128-SHA128
ECDHE-RSA-AES128-SHA128
ECDHE-ECDSA-AES256-SHA256
ECDHE-RSA-AES256-SHA256
RSA-AES128-GCM-SHA256128
RSA-AES256-GCM-SHA384256
RSA-AES128-SHA128
RSA-AES256-SHA256
RSA-3DES-EDE-SHA168
EMPTY-RENEGOTIATION-INFO-SCSV0Microsoft Edge:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
RSA-AES256-GCM-SHA384
RSA-AES128-GCM-SHA256
DH-RSA-MISTY1-SHA
DH-DSS-MISTY1-SHA
RSA-AES256-SHA
RSA-AES128-SHA
RSA-3DES-EDE-SHA
DHE-DSS-AES256-SHA256
DH-ANON-MISTY1-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES128-SHA
DHE-DSS-3DES-EDE-SHA
EMPTY-RENEGOTIATION-INFO-SCSVMozilla Firefox Version 50:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
RSA-AES128-SHA
RSA-AES256-SHA
RSA-3DES-EDE-SHA
EMPTY-RENEGOTIATION-INFO-SCSV
Qualys SSL Labs - SSL Server Test: https://www.ssllabs.com/ssltest
SSL Shopper - SSL Checker: https://www.sslshopper.com/ssl-checker.html
SSL chain certificate resolver: https://certificatechain.io
Comodo Certification Authority > Root & Intermediate(s): https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/71
DigiCert SSL Utility: https://www.digicert.com/util
# # # # # # # #
The ciphers and options are hardcoded in the file /usr/local/pkg/squid_reverse.inc, so depending on what (Modern or Intermediate) you choose in the GUI under Services -> Squid Reversy Proxy -> General -> Squid Reverse Security Settings -> Compatibility mode, the system will automatically put these vales:
Modern:
$ciphers = "cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
$options = "options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";Intermediate:
$ciphers = "cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
$options = "options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";I don't know if this is related to: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
But what I found out is, that this was made for old browsers (e.g. Firefox 27 => actual is 50, Chrome 30 = actual is 54 ...)
# # # # # # # #
To simply change the /usr/local/etc/squid/squid.conf manually will not solve the problem, because with every system update or every config change, we would need to 'repair' our squid.conf.
So I created this quick solution:
1. Add an additional option in the file /usr/local/pkg/squid_reverse_general.xml. The option-list for the field 'Compatibility mode' starts at line 291.
2. Add an additional if-statement for the new option in the file /usr/local/pkg/squid_reverse.inc. The if-block for this starts at line 139.
-
First I tried the values from this article: http://www.rawiriblundell.com/?p=1442.
-
Then I tried a lot of others, but in the end I had always 1 problem left: either Chrome was not happy with the cipher, or the SSL test told me 'The server does not support Forward Secrecy with the reference browsers.'
-
In the end I decided to stay with the SSL test problem.
-
My actual values are a combination of https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices (2.3 Use Secure Cipher Suites) and http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit (Note: Ciphers are used also depending from your SSL/TLS library. In some cases will be enough to specify:)
"cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
$options = "options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";# # # # # # # #
Yes, this is not the perfect solution, but it quickly solved my problem. Now the website behind my pfSense works with the actual versions of Firefox, Chrome, Internet Explorer, Edge, Opera and Safari.
# # # # # # # #
The next problem was the broken certificate chain. The SSL Checker from SSL Shopper helped me to fix it.
1. I had to install the 'COMODO RSA Domain Validation Secure Server CA' certificate under System -> Cert. Manager -> CAs
2. And I had to enter also this certifiacte information under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Intermediate CA Certificate (If Needed).
# # # # # # # #
The next problem was, that you can only define one certificate under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Reverse SSL Certificate. But I needed more than one webserver/domain/certifiacte. I could fix this issue with a Multi-Domain certificate (e.g. https://www.namecheap.com/security/ssl-certificates/comodo/positivessl-multi-domain.aspx).
# # # # # # # #
The next problem was the automatic redirect from http to https. I tried to do it directly on the servers/webpages, and it seemed to work, but then I got very strange problems: images broken, css broken, login not possible...
So I removed these settings, and used the Redirects from the Squid Reverse Proxy directly on the pfSense firewall. Don't think it's easy, but with this trick I got it running: https://forum.pfsense.org/index.php?topic=58964.0
# # # # # # # #
Now there is only one problem left: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.
# # # # # # # #
Thanks,
Christian.
-
-
Thank you, it's very helpful.
I have the error Access is denied now, I don't know why. I'll investigate.
Florent
-
Hi,
I updated my post. Sorry for all the additional info, but maybe it helps for later…
Thanks,
Christian. -
Hey,
Perfect, thank you very much for this great post.
I always have the Access Denied message: https://URL
Any idea?
Thanks.
Florent -
Hi,
I did again an update. It includes a solution, if you need more than one certificate.
–-----
For your problem:
1. Make sure that the server/website is working whitout pfSense. Why: So you can be sure that the problem comes fromthe pfSense configuration, and not from the system behind. I had this with old Classic ASP websites.
2. If you know that the system behind is running error free, you have to check your pfSense Reverse Proxy configuration. The problem is, that we would need to see your pfSense configuration to see if there is any error. BUT be careful, because you can compromise your system with sharing to much information!!!
Thanks,
Christian. -
New Update in my information for HTTP => HTTPS redirect.
-
# # # # # # # #
The next problem was the broken certificate chain. The SSL Checker from SSL Shopper helped me to fix it.
1. I had to install the 'COMODO RSA Domain Validation Secure Server CA' certificate under System -> Cert. Manager -> CAs
2. And I had to enter also this certifiacte information under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Intermediate CA Certificate (If Needed).
# # # # # # # #
Hi Christian,
I followed your steps and now, I've another error. My wildcard certificate is issued by Digicert. So I imported the PEM DigiCert SHA2 Secure Server CA from https://www.digicert.com/digicert-root-certificates.htm in the CA of the pfSense and I paste it in Intermediate CA Certificate but I have this error:
The following error was encountered while trying to retrieve the URL: https://URL Failed to establish a secure connection to IPAddress The system returned: (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. Your cache administrator is admin@localhost.Any idea?
Thanks.
Florent -
Hi,
sorry for my late answer. I am in a huge project, and have less time.
So far I have no idea where the problem could come from. Mabe any certificate issue? Wrong format? Missing stuff?
Please try to open a new thread with this new problem. Maybe there is someone who knows…
Thanks,
Christian. -
If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL
the problem can be solve with a this shape.
OR
With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com