[squid-users] Error when using peek/splice/terminate with Squid 3.5.1

John Killimangalam Jacob jkillimangalam at in.rm.com
Mon Feb 16 05:54:36 UTC 2015 

Hi All,

I am trying to configure an intercept proxy with peek/splice/terminate features in Squid 3.5.1 on CentOS 7 - 64 bit. I wanted to peak at steps 1 and step 2 and to decide on terminate on step 3 based on the SNI and server certificate values. It is working only for https://www.google.com, but lot of other ssl sites (likes of https://www.yahoo.com etc) are not getting loaded logging an " Error negotiating SSL on FD 36: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext  "  in the cache.log (trying the same sites using openssl s_client command works). I was wondering if it has to do anything with my config or open ssl (version 1.0.1e) or anything else. The web sites are being accessed from a windows 7 workstation with IE 8 and Firefox 35.0.1 . Below is the squid.config section for peek and splice I am using.

acl step1 at_step  SslBump1
acl step2 at_step  SslBump2
acl step3 at_step  SslBump3


external_acl_type SSL_URL_Filter %SRC %ssl::>sni %ssl::<cert_subject </path/to/urlfilterscript>

acl URL_Allowed external SSL_URL_Filter


ssl_bump peek step1 all

ssl_bump peek step2 all

ssl_bump terminate step3 !URL_Allowed

ssl_bump splice step3 all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem

Thanks in Advance,
John

Visit our Website at www.rmesi.co.in<http://www.rmesi.co.in>

This message is confidential and should not be copied or disclosed to anyone. If this email has come to you in error, please delete it, along with any attachments. Any views or opinions presented are only those of the author and not those of RMESI. RMESI accepts no liability for any loss or damage which may be caused by software viruses and it is your responsibility to ensure that this email and any attachments are free of viruses when you receive it. You may use and apply this email and the information contained in it for the intended purpose only and RMESI shall not be liable in any way in respect of use for any other purpose. In respect of all other matters, to the fullest extent permitted by applicable law, RMESI disclaims all responsibility and liability for the contents of this email (including any attachments). Please note that RMESI may intercept incoming and outgoing email communications.

RM Education Solutions India Pvt Ltd (CIN: U72200KL2003PTC015931) is a company registered in India with its registered office at B-5 Gayatri Building, Technopark Campus, Trivandrum, Kerala, 695 581.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150216/aa3ad62b/attachment.html>

More information about the squid-users mailing list