[Solved] pfSense +Squid Reverse Proxy +SSL = ERR_SSL_OBSOLETE_CIPHER



  • Hi,

    I use a pfSense 2.3.2-RELEASE-p1 with Squid for Reverse Proxy stuff. So far everything runs fine.

    Now I wanted that some sites on my servers behind the firewall can also be reached over SSL. It took me a while, but after a lot of searching and testing, I think I am very close.

    I can open all sites via http in all browsers without any problems. But I can open my sites over https only in Microsoft Internet Explorer, Microsoft Edge and Mozilla Firefox. With Google Chrome and Opera I get the following error:


    This site can’t provide a secure connection

    www.mydomain1.com uses an unsupported protocol.

    ERR_SSL_OBSOLETE_CIPHER

    The client and server don't support a common SSL protocol version or cipher suite.


    Is there any solution for this?

    Thanks,
    Christian.



  • Chrome is much more demanding when it comes to 'insecure' ciphers in SSL connections. So are you parsing the SSL traffic through Squid to your web server also, or are your SSL connections being made directly to the server? Outwardly, what appears to be happening is the certificate you're using hasn't been generated using a sufficiently strong algorithm. What are you using to generate your CSR?



  • Hi,

    I hope I can answer correctly:

    1. If I connect internally to the website - this means directly, and not over pfsense, than everything works fine.

    2. If I connect from the outside over pfsense, then Chrome and Opera have this problem.

    3. The server runs Windows Server 2012 R2 with the integrated IIS. I generated the csr directly over the IIS, based on this information: https://www.namecheap.com/support/knowledgebase/article.aspx/9647/0/iis-8 => It was Microsoft RSA SChannel Cryptographic Provider with 2048 bit.

    4. I don't know if I parse or if I send it directly. I use the Squid Reverse Proxy, and I have activated http and https. I didn't find any other option or description. I don't use the transparent ssl oder the man in the middle.

    Thanks,
    Christian.



  • Hi,

    so far I found the following BAD solution:

    1. The configuration of the Squid Reverse Prox is saved under: '/usr/local/etc/squid/squid.conf'.

    2. There is a section called '# Reverse Proxy settings'

    3. There are a lot of parameters for each entry. For the https stuff there are also the parameters which create the problem: 'cipher=' and 'options='

    4. I found this article: http://www.rawiriblundell.com/?p=1442

    5. I know, that I should not touch this file manually, but I wanted to see if this is the problem. So I changed the values for 'cipher' and 'options' like described in the article. I restarted the Squid service.

    IT WORKS!!!

    Does anyone know where I can set/change/choose this parameters over the gui???

    Thanks,
    Christian.



  • When you reverse proxy SSL, Squid is effectively working as a 'man-in-the-middle' broker for the actual web server. So the settings you make to the proxy effect how external clients' browsers handle the traffic. I don't personally know if or where the settings you mention are within the GUI. If you make any change to PFS outside the GUI, I believe your changes will remain so long as you don't make any further changes vi the GUI itself - though as a package, Squid may handle this differently. Might be worth trying a small change on the GUI to see if the hack you made on your squid.conf stays put.