[squid-users] peek/splice working with lynx but not with firefox or chrome
Roel van Meer
roel at 1afa.com
Tue Mar 10 13:46:54 UTC 2015
I'm trying to get peek/splice working with intercepted https connections.
The final goal is to accept or reject connections based on the SNI info that
we get from the first peek. So first, I would like to be able to do
peek/splice on all requests, and then later I can use an external acl to
block some of them.
I'm having trouble getting the first step to work. My peek/splice config
works when I use lynx as a browser, but not (well) with firefox or chrome.
The latter two sometimes return a result, but often don't. When this happens
I get diverse errors in the cache log like:
Error negotiating SSL on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
Error negotiating SSL on FD 41: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)
Error negotiating SSL on FD 31: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
The relevant portions of squid.conf:
https_port 192.168.13.1:3130 intercept ssl-bump options=ALL cert=/etc/ssl/certs/server.pem
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump peek step2
ssl_bump splice all
sslproxy_cert_error allow all
I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. Traffic
is redirected from port 443 top 3130 with iptables.
Any help would be really appreciated.
Thanks a lot,
More information about the squid-users