[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.
adam900710
adam900710 at gmail.com
Mon Jul 6 09:30:33 UTC 2015
Forgot some extra infomation:
squid build info:
---
Squid Cache: Version 3.5.5
Service Name: squid
configure options: '--prefix=/usr' '--sbindir=/usr/bin'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--localstatedir=/var'
'--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid'
'--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm'
'--enable-auth-digest' '--enable-auth-negotiate'
'--enable-removal-policies=lru,heap' '--enable-storeio=aufs,ufs,diskd'
'--enable-delay-pools' '--with-openssl=/usr' '--enable-snmp'
'--enable-linux-netfilter' '--enable-ident-lookups'
'--enable-useragent-log' '--enable-cache-digests'
'--enable-referer-log' '--enable-htcp' '--enable-carp'
'--enable-epoll' '--with-large-files' '--enable-arp-acl'
'--with-default-user=proxy' '--enable-async-io' '--enable-truncate'
'--enable-icap-client' '--enable-ssl-crtd' '--disable-arch-native'
'--disable-strict-error-checking' '--enable-wccpv2'
'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe
-fstack-protector-strong --param=ssp-buffer-size=4'
'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-march=x86-64 -mtune=generic
-O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4'
---
Also, If I disable "ssl_bump" at http_port line, squid works without
any problem just as a forwarder.
But that makes no sense anyway.
Thanks
2015-07-06 17:22 GMT+08:00 adam900710 <adam900710 at gmail.com>:
> Hi all,
>
> I tried to build a ssl bumping proxy with up level proxy, but client
> failed to connect like the following.
>
> The error:
> ---
> $ curl https://www.google.co.jp -vvvv -k
> * Rebuilt URL to: https://www.google.co.jp/
> * Trying ::1...
> * Connected to localhost (::1) port 3128 (#0)
> * Establish HTTP proxy tunnel to www.google.co.jp:443
>> CONNECT www.google.co.jp:443 HTTP/1.1
>> Host: www.google.co.jp:443
>> User-Agent: curl/7.43.0
>> Proxy-Connection: Keep-Alive
>>
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to www.google.co.jp:443
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to www.google.co.jp:443
> ---
>
> My squid.conf:
> ---
> # default acls/configs are ignored
> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
> never_direct allow all
> ssl_bump peek all
> ssl_bump bump all
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl/ca.crt \
> key=/etc/squid/ssl/ca.key \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB
> ---
>
> From the cache_peer port, someone may notice that I'm using privoxy.
> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
> or I can't ever access some sites.
>
> Here is some of my experiments:
> 1) Remove "never_direct"
> Then ssl_bump works as expected, but all traffic doesn't goes through
> the SOCKS5 proxy. So a lot of sites I can't access.
>
> 2) Use local 8118 proxy
> That works fine without any problem, but SSL_dump is needed...
> So just prove privoxy are working.
>
> Any clue?
>
> Thanks
More information about the squid-users
mailing list