[squid-users] sslbump working with 3.4.9 but not in intercept mode?
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 10 11:06:20 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/11/2014 11:26 p.m., Jason Haar wrote:
> On 10/11/14 23:02, Amos Jeffries wrote:
>>> acl SSL_nonHTTPS_sites dstdom_regex
>>> "/etc/squid/SSL_nonHTTPS_sites.txt" acl SSL_noIntercept_sites
>>> dstdom_regex "/etc/squid/SSL_noIntercept_sites.txt" ssl_bump
>>> none SSL_nonHTTPS_sites ssl_bump none SSL_noIntercept_sites
>>> ssl_bump server-first all
>>
>> The TCP forwarding behaviour occurs when your "ssl_bump none"
>> rules match the IP address of the intercepted tcp/443 traffic.
>>
>> So it comes down to what your regex files contain and what TCP
>> dst-IPs your Squid is processing. Both of the details you have
>> elided from your description.
>>
>
> Ha! You're dead right. I had "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$" in
> SSL_nonHTTPS_sites.txt so that Skype could work (skype will
> auto-detect proxies if needed and uses CONNECT statements to peer
> IP addresses instead of hostnames). So that whitelisted the bumps!
>
> I've commented out the SSL_nonHTTPS_sites rule and now it's
> broken HTTPS all together. Now "telnet 1.2.3.4 443" connects and
> immediately drops. cache.log shows squid crashing and restarting.
> If I comment out "https_port", the crashing stops, so it looks like
> my config is OK for "normal" proxy-bumping, but something is wrong
> for intercept. (this is a Centos-6 box self-compiled 3.4.9)
>
> 2014/11/10 23:20:43 kid1| Closing HTTP port 0.0.0.0:3126 2014/11/10
> 23:20:43 kid1| Closing HTTP port 0.0.0.0:3129 2014/11/10 23:20:43
> kid1| Closing HTTPS port 0.0.0.0:3127 FATAL: xstrdup: tried to dup
> a NULL pointer!
Grr, strdup bites again. Backtrace please if you can.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUYJwrAAoJELJo5wb/XPRjTZgIAMW+5hICK87MXODECe1+qLud
sbQLjxhpE5OGyl6urmad9cfk0B+pQAdK8sYYq/rQaIYaGvjLtAxGX94x53dIP+Z/
BEd4u0IFVZ/LZpv6bhu+yN5zmXSns5s2vhupQHreeCTgcgbqylnuwVjFoB8aqdez
5TRS25LETGBBAL7L+8n5wQ//VXkz5Q8/vX8lQS5YTAJ5AhFc15/W2R2k0PtAKeXx
nCarsQjmMTO/lDTu2E5dgcpEWD1QuyMJO9YVl2oXL7YlO/t1vHzxg2xdpaKAO5Ri
q4xjodYEgOo6oFZRbkiaJwPZpowUNgbOzGGqJ/nHIwc8WpJTv5XPiJvN69HjMb8=
=4agm
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list