Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid transparent proxy blocks skype calls

    pfSense Packages
    3
    8
    2428
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fearnothing last edited by

      I have discovered an issue with squid3-dev (3.3.10 pkg 2.2.6) and skype. I have just set it up in transparent mode with SSL intercept enabled; once I got it working for web content, I've found that I am unable to make calls with skype. When I try to do so, the log shows multiple instances of "error:invalid-request" status "NONE/400" (no destination IP). Is there a workaround for this? Google didn't help me this time.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi last edited by

        So you have discovered a sure-fire way to block skype?  Publish it…

        1 Reply Last reply Reply Quote 0
        • F
          fearnothing last edited by

          Har har. Only if I can make money from it somehow.

          Further detail: it's not just calls. Skype signs in and I can search the directory for users but I can't make calls or send messages.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi last edited by

            Its been a while since I ran a transparent proxy, but seem like at the time I was able to exempt certain PCs by putting them in a separate VLAN.
            Squid always caused me more pain than it was worth at home.

            1 Reply Last reply Reply Quote 0
            • F
              fearnothing last edited by

              Disabling SSL intercept solves the problem. I suspect that what's happening is when Squid gets the decrypted HTTPS traffic, it looks at it and says "this doesn't make any damn sense, get lost". Supporting this theory, when I'm watching the real time URL information when SSL intercept is enabled, when skype is trying to make a call I will occasionally see, instead of normal URLs, strings of gibberish and/or large quantities of encoded characters (e.g. "%3E%A0%E7%95%D2%DE%FE%A3Q%92%FE%B2@%B9%7F%%5D%5BX;%E4%23%EC7@%95%F7%B4%D4%97q%17%E4AJ%BF%5E(%9F%F1%9At")

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi last edited by

                My opinion is that using squid for anything other than HTTP is complete folly.

                1 Reply Last reply Reply Quote 0
                • KOM
                  KOM last edited by

                  Squid has a Bypass proxy for these destination IPs exemption.  Perhaps that would work?

                  1 Reply Last reply Reply Quote 0
                  • F
                    fearnothing last edited by

                    Skype appears to use HTTPS for much of its connectivity. I expect that it exchanges keys for the call over HTTPS before switching to UDP with encrypted payloads or something like that to send the audio/video.

                    Disabling for specific destination IPs isn't practical - I would have to know what IP addresses any of my friends had who I wanted to call/talk to.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post