Sites using an Older version of TLS are Still accessible via Chrome. But I got a Connection Failed via SafeSquid-SWG

Tell everybody, what you think about SafeSquid!
Speak your mind!
India aashish97
Posts: 117
Joined: Sat Jul 06, 2019 10:45 am

Sites using an Older version of TLS are Still accessible via Chrome. But I got a Connection Failed via SafeSquid-SWG

Post by aashish97 » Wed Sep 04, 2019 3:00 pm

Hello All,

Sites using an Older version of TLS are Still accessible via Chrome & Firefox. But I got a Connection Failed via SafeSquid-SWG

Recently, I was troubleshooting one of our client's problem.
This is where I encountered a website: https://www.tandf.co.uk/
showing "Connection Failed" via SafeSquid-SWG but I was able to access it via Chrome & Firefox.


POC SnapShot [When I tried to access that website on Firefox Browser Via SafeSquid-SWG]
image.png
image.png (34.34 KiB) Viewed 1252 times

After going through SafeSquid-SWG logs I came across an SSL Related Error.
Log Line:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2019 09 05 11:36:23.803 [5] debug: request: auto request for encoded content
2019 09 05 11:36:23.803 [5] debug: network: Find_: 154 common socket https://www.tandf.co.uk:443
2019 09 05 11:36:23.803 [5] debug: network: Connection Pool: common[miss]: https://(null):*@www.tandf.co.uk:443
2019 09 05 11:36:23.803 [5] debug: network: DNS[IPv4]: cache[hit] www.tandf.co.uk -> 34.241.48.49
2019 09 05 11:36:23.803 [5] debug: network: net_connect_: successful [fd:26] to www.tandf.co.uk:443
2019 09 05 11:36:23.803 [5] debug: ssl: check:1236 deep scan enforced on connection
2019 09 05 11:36:24.211 [5] debug: ssl: CTXcacheOUT::find_ctx:4538 cache[2]hit: ref[2]www.tandf.co.uk
2019 09 05 11:36:24.211 [5] debug: ssl: EncryptS:939 SSL_set_tlsext_host_name www.tandf.co.uk
2019 09 05 11:36:24.428 [5] error: ssl: SSL_retry:1647 [SSL_connect:SSL_ERROR_WANT_READ] net_read_wait():POLLHUP
2019 09 05 11:36:24.428 [5] error: ssl: EncryptS:997 SSL_connect [2:error:00000002:lib(0):func(0):reason(2)]
2019 09 05 11:36:24.428 [5] error: ssl: EncryptS:999 [site:www.tandf.co.uk] [session cached:no] [session reused:no]
2019 09 05 11:36:24.428 [5] error: ssl: ServerEncrypt:1828 www.tandf.co.uk:443
2019 09 05 11:36:24.429 [5] debug: network: closesocket: _socket_:26 192.168.249.86:40478 34.241.48.49:443

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

After doing some R&D I got to know that the website is using TLS Version 1.0

I Tried it Via OpenSSL:
I have tried it with a very basic command:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

root@seqrite:~# echo | openssl s_client -connect www.tandf.co.uk:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=*.tandf.co.uk
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLjCCBRag......................................................................................................
...................................................oNzAtJeMbxbMujd2ufms6hh1x5+spCv4xTf
E5Y=
-----END CERTIFICATE-----
subject=/CN=*.tandf.co.uk
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018
---
No client certificate CA names sent
---
SSL handshake has read 2938 bytes and written 613 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 3E26000027954265E121462C83C3B6E64EAFEB913276206D4F51737EC1712771
Session-ID-ctx:
Master-Key: 8C2073A2C6E73BAAA2A97A184139D232774D842DE434CCED2660FF4E0525192BE8F6FF62D3F4C54D6CA702AF2137FBDB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1567664082
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

POC SnapShot [When I tried to access that website on Chrome Browser]
image.png
image.png (53.74 KiB) Viewed 1257 times

It is absurd that websites are still using TLSv1.0 which is deprecated and should not be used anymore.
because I read a lot of articles related to Deprecation of TLSv1.0

Below I have listed Few.
LINK1: https://www.comodo.com/e-commerce/ssl-c ... cation.php
LINK2: https://www.globalsign.com/en-in/blog/d ... -versions/

and I also Encountered this website which also uses TLSv1.0

POC SnapShot [When I tried to access that website on Chrome Browser]

image.png
image.png (47.89 KiB) Viewed 1257 times


As far as I know, SafeSquid-SWG does not Support TLSv1.0 as it is Deprecated and should not be used by anyone.
It is good to know that the website was not accessible due to this reason.
BUT [yes there is a BUT over here]
What I see is when the user accesses such a website he is getting Connection Failure, which can be due to N Number of Reasons.
It does not explain why we got a Connection Failed.

The Logs also does not explains it perfectly
but it was related SSL so I tried the website via OpenSSL and got a Very clean detail of the SSL Part so I was able to understand the actual problem of getting connection Failure.
Might be Tough for a Normal User

Rather than Showing a Connection Failed, SafeSquid should show the actual detail of the Problem, as this makes the user aware that there is some wrong on the website which he is trying to access.
I think It will be fixed in the Newer Version.