Skype Fails to Connect through Squid
After I enable HTTPS filtering (SSL Bump) on Squid the Skype stops working. Why?
Consider the following safe environment usually found in corporate LANs.
- All TCP/UDP outbound traffic from workstations to the Internet is blocked.
- Outbound traffic from Squid proxy to the Internet is allowed.
- All workstations in the LAN must use Squid proxy to access Internet resources.
- All browsers on workstations are set to use Squid proxy explicitly.
- Skype is set to use system configured proxy (i.e. Squid).
If HTTPS filtering on Squid is disabled Skype is able to connect to its remote servers. Both audio and video calls work normally. After enabling HTTPS filtering and SSL decryption, Skype stops working and cannot connect to Skype servers through Squid any more.
The reason for failure is indeed HTTPS decryption. Most probably Skype uses SSL certificate pinning, when the application knows exactly what certificate to expect when accessing remote servers. After enabling SSL decryption of HTTPS connections Squid replaces the server certificate with a mimicked one, so the application detects that and refuses to function.
The only partial way to fix this is to exclude some Skype and Microsoft related domain names from SSL decryption. The following domain names must be added to UI / Squid / HTTPS / Exclusions / Domain Names.
.messenger.live.com .microsoft.com .skype.com .trouter.io login.live.com
Unfortunately only excluding domain names is not enough because Skype uses
CONNECT some.random.ip.address requests to establish encrypted tunnels for outbound calls through the proxy. We also need to exclude a large list of IP subnets from SSL decryption.
text file with IP subnets required to enable Skype to work through Squid file.
Then, navigate to UI / Squid / Tools / Upload File and select the Exclude Domain Subnet entry from the drop down box, select the downloaded file skype_ips.txt and click Upload File. After upload finishes correctly, navigate to UI / Squid / Exclusions / IP Subnets and check the entries were indeed uploaded. Click Save and Restart in the top right corner of the UI as shown on the following screenshots.
Microsoft and Skype may change the provided list of IP subnets at any time. We cannot guarantee it will work in your situation. You might need to start Wireshark and analyze what IP subnets must be added to this list. Please share your findings with email@example.com.
There is always the least desired solution that is recommended by Skype support - allow direct UDP connections though firewall as described at https://support.skype.com/en/faq/FA148/which-ports-need-to-be-open-to-use-skype-for-windows-desktop