ERR_SSL_OBSOLETE_CIPHER with Squid RP



  • Hello everyone,

    With Chrome, I've the following error when I try to access an URL from my desktop (I use Quid Reverse Proxy):

    ERR_SSL_OBSOLETE_CIPHER

    With Firefox, it works.
    Any idea?

    Thanks.
    Florent



  • Same here.
    Strangely enough, it used to work perfectly until today when I imported an updated certificate (because expiration of the previous one) and set the squid RP to use it. When I saved the new config, it stopped working with Chrome 53.
    I also notice it works with Firefox. Upgrading Chrome to 54 doesn't help.

    I finally found a working configuration :

    • set DH params key size to 4096
    • set compatibility mode to "intermediate" (was "modern").

    I guess something is wrong with the "modern" setup.
    My Squid config had not been re-generated in a while. At least not since I applied the last update to 2.3.2_1 (from 2.3.2 IIRC). I've seen this update includes OpenSSL changes. Maybe that's the source of the problem ?



  • Hello,

    Thanks for your update. I tried with your settings but in Chrome, he's downloading an empty file (see attachment).
    Did you change anything else?

    Thanks.
    Florent




  • Hi,

    I have the same problem. Is there a working solution???

    Thanks,
    Christian.



  • Hello,
    I didn't find a solution.
    If you have it, I take :)
    Florent



  • Hi,

    so far I found the following BAD solution:

    1. The configuration of the Squid Reverse Prox is saved under: '/usr/local/etc/squid/squid.conf'.

    2. There is a section called '# Reverse Proxy settings'

    3. There are a lot of parameters for each entry. For the https stuff there are also the parameters which create the problem: 'cipher=' and 'options='

    4. I found this article: http://www.rawiriblundell.com/?p=1442

    5. I know, that I should not touch this file manually, but I wanted to see if this is the problem. So I changed the values for 'cipher' and 'options' like described in the article. I restarted the Squid service.

    IT WORKS!!!

    Can you please try and let me know??? Don't forget to backup the old configuration first!!!

    Thanks,
    Christian.



  • Hello,
    Thanks for this, it works. I've now an access denied but the error with cipher has disappear.
    Thanks again.
    Florent

    EDIT: I always have the same problem :(
    Did you do this: # Disable TLS Compression
    export OPENSSL_NO_DEFAULT_ZLIB=1
    ?
    Thanks



  • Hi,

    and no, disabling the TLS Compression seems to be not needed. All well known browsers are now able to cennect to my website.

    Of course there is more stuff to do, but first I need to find a clean solution for the cipher and options problem. I was quickly checking the sourcecode of the package, and there is some hardcoded stuff, but I need more time.

    I let you know, if I find a solution.

    Thanks,
    Christian.



  • Ok perfect, thanks you :)
    Florent



  • # # # # # # # #

    Squid: http://www.squid-cache.org

    The real name of the squid package for pfSense is pfSense-pkg-squid, and it is part of the FreeBSD-ports.

    The sourcecode of FreeBSD-ports can be found under: https://github.com/pfsense/FreeBSD-ports

    The sourcecode of pfSense-pkg-squid can be found under: https://github.com/pfsense/FreeBSD-ports/tree/devel/www/pfSense-pkg-squid

    The actual version number is: 0.4.23_1


    Mozilla Security/Server Side TLS: https://wiki.mozilla.org/Security/Server_Side_TLS

    Mozilla Security/TLS Configurations: https://wiki.mozilla.org/Security/TLS_Configurations

    Mozilla SSL Configuration Generator: https://mozilla.github.io/server-side-tls/ssl-config-generator

    The Chromium Projects - TLS/SSL: https://www.chromium.org/Home/chromium-security/education/tls

    SSL Labs - SSL and TLS Deployment Best Practices: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

    Nartac IIs Crypto: https://www.nartac.com/Products/IISCrypto


    SSL Cipher Suite Details of Your Browser: https://cc.dcsec.uni-hannover.de

    Google Chrome Version 54:
    –-----------------------
    ECDHE-ECDSA-AES128-GCM-SHA256128
    ECDHE-RSA-AES128-GCM-SHA256128
    ECDHE-ECDSA-AES256-GCM-SHA384256
    ECDHE-RSA-AES256-GCM-SHA384256
    ECDHE-ECDSA-AES128-SHA128
    ECDHE-RSA-AES128-SHA128
    ECDHE-ECDSA-AES256-SHA256
    ECDHE-RSA-AES256-SHA256
    RSA-AES128-GCM-SHA256128
    RSA-AES256-GCM-SHA384256
    RSA-AES128-SHA128
    RSA-AES256-SHA256
    RSA-3DES-EDE-SHA168
    EMPTY-RENEGOTIATION-INFO-SCSV0

    Microsoft Edge:

    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-RSA-AES128-GCM-SHA256
    DHE-RSA-AES256-GCM-SHA384
    DHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES256-SHA384
    ECDHE-ECDSA-AES128-SHA256
    ECDHE-RSA-AES256-SHA384
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES256-SHA
    ECDHE-ECDSA-AES128-SHA
    ECDHE-RSA-AES256-SHA
    ECDHE-RSA-AES128-SHA
    DHE-RSA-AES256-SHA
    DHE-RSA-AES128-SHA
    RSA-AES256-GCM-SHA384
    RSA-AES128-GCM-SHA256
    DH-RSA-MISTY1-SHA
    DH-DSS-MISTY1-SHA
    RSA-AES256-SHA
    RSA-AES128-SHA
    RSA-3DES-EDE-SHA
    DHE-DSS-AES256-SHA256
    DH-ANON-MISTY1-SHA
    DHE-DSS-AES256-SHA
    DHE-DSS-AES128-SHA
    DHE-DSS-3DES-EDE-SHA
    EMPTY-RENEGOTIATION-INFO-SCSV

    Mozilla Firefox Version 50:

    ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES256-SHA
    ECDHE-ECDSA-AES128-SHA
    ECDHE-RSA-AES128-SHA
    ECDHE-RSA-AES256-SHA
    DHE-RSA-AES128-SHA
    DHE-RSA-AES256-SHA
    RSA-AES128-SHA
    RSA-AES256-SHA
    RSA-3DES-EDE-SHA
    EMPTY-RENEGOTIATION-INFO-SCSV


    Qualys SSL Labs - SSL Server Test: https://www.ssllabs.com/ssltest

    SSL Shopper - SSL Checker: https://www.sslshopper.com/ssl-checker.html

    SSL chain certificate resolver: https://certificatechain.io


    Comodo Certification Authority > Root & Intermediate(s): https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/71

    DigiCert SSL Utility: https://www.digicert.com/util

    # # # # # # # #

    The ciphers and options are hardcoded in the file /usr/local/pkg/squid_reverse.inc, so depending on what (Modern or Intermediate) you choose in the GUI under Services -> Squid Reversy Proxy -> General -> Squid Reverse Security Settings -> Compatibility mode, the system will automatically put these vales:

    Modern:

    $ciphers = "cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
    $options = "options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";

    Intermediate:

    $ciphers = "cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    $options = "options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";

    I don't know if this is related to: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

    But what I found out is, that this was made for old browsers (e.g. Firefox 27 => actual is 50, Chrome 30 = actual is 54 ...)

    # # # # # # # #

    To simply change the /usr/local/etc/squid/squid.conf manually will not solve the problem, because with every system update or every config change, we would need to 'repair' our squid.conf.

    So I created this quick solution:

    1. Add an additional option in the file /usr/local/pkg/squid_reverse_general.xml. The option-list for the field 'Compatibility mode' starts at line 291.

    2. Add an additional if-statement for the new option in the file /usr/local/pkg/squid_reverse.inc. The if-block for this starts at line 139.

    "cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
    $options = "options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE";

    # # # # # # # #

    Yes, this is not the perfect solution, but it quickly solved my problem. Now the website behind my pfSense works with the actual versions of Firefox, Chrome, Internet Explorer, Edge, Opera and Safari.

    # # # # # # # #

    The next problem was the broken certificate chain. The SSL Checker from SSL Shopper helped me to fix it.

    1. I had to install the 'COMODO RSA Domain Validation Secure Server CA' certificate under System -> Cert. Manager -> CAs

    2. And I had to enter also this certifiacte information under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Intermediate CA Certificate (If Needed).

    # # # # # # # #

    The next problem was, that you can only define one certificate under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Reverse SSL Certificate. But I needed more than one webserver/domain/certifiacte. I could fix this issue with a Multi-Domain certificate (e.g. https://www.namecheap.com/security/ssl-certificates/comodo/positivessl-multi-domain.aspx).

    # # # # # # # #

    The next problem was the automatic redirect from http to https. I tried to do it directly on the servers/webpages, and it seemed to work, but then I got very strange problems: images broken, css broken, login not possible...

    So I removed these settings, and used the Redirects from the Squid Reverse Proxy directly on the pfSense firewall. Don't think it's easy, but with this trick I got it running: https://forum.pfsense.org/index.php?topic=58964.0

    # # # # # # # #

    Now there is only one problem left: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.

    # # # # # # # #

    Thanks,
    Christian.






  • Thank you, it's very helpful.

    I have the error Access is denied now, I don't know why. I'll investigate.

    Florent



  • Hi,

    I updated my post. Sorry for all the additional info, but maybe it helps for later…

    Thanks,
    Christian.



  • Hey,

    Perfect, thank you very much for this great post.

    I always have the Access Denied message: https://URL

    Any idea?
    Thanks.
    Florent



  • Hi,

    I did again an update. It includes a solution, if you need more than one certificate.

    –-----

    For your problem:

    1. Make sure that the server/website is working whitout pfSense. Why: So you can be sure that the problem comes fromthe pfSense configuration, and not from the system behind. I had this with old Classic ASP websites.

    2. If you know that the system behind is running error free, you have to check your pfSense Reverse Proxy configuration. The problem is, that we would need to see your pfSense configuration to see if there is any error. BUT be careful, because you can compromise your system with sharing to much information!!!

    Thanks,
    Christian.



  • New Update in my information for HTTP => HTTPS redirect.



  • @cjs1976:

    # # # # # # # #

    The next problem was the broken certificate chain. The SSL Checker from SSL Shopper helped me to fix it.

    1. I had to install the 'COMODO RSA Domain Validation Secure Server CA' certificate under System -> Cert. Manager -> CAs

    2. And I had to enter also this certifiacte information under Services -> Squid Reverse Proxy -> General -> Squid Reverse HTTPS Settings -> Intermediate CA Certificate (If Needed).

    # # # # # # # #

    Hi Christian,

    I followed your steps and now, I've another error. My wildcard certificate is issued by Digicert. So I imported the PEM DigiCert SHA2 Secure Server CA from https://www.digicert.com/digicert-root-certificates.htm in the CA of the pfSense and I paste it in Intermediate CA Certificate but I have this error:

    The following error was encountered while trying to retrieve the URL: https://URL
    
    Failed to establish a secure connection to IPAddress
    
    The system returned:
    
    (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
    SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    
    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
    
    Your cache administrator is admin@localhost.
    

    Any idea?
    Thanks.
    Florent



  • Hi,

    sorry for my late answer. I am in a huge project, and have less time.

    So far I have no idea where the problem could come from. Mabe any certificate issue? Wrong format? Missing stuff?

    Please try to open a new thread with this new problem. Maybe there is someone who knows…

    Thanks,
    Christian.



  • If you change pFSense / Services / Squid Proxy Server / GEneral tab Then check the SSL Man In The Middle Filtering area and change the SSL/MITM Mode from Splice WhiteList, Bumb OtherWise to the Splice ALL

    the problem can be solve with a this shape.

    OR

    With a default value of the SSL/MITM Mode with Splice WhiteList, Bumb OtherWise you can goto ACLs atb and add desıred web site url to the WhiteList area ie: online.kktcmaliye.com


Log in to reply