[squid-users] peek/splice working with lynx but not with firefox or chrome

Roel van Meer roel at 1afa.com
Tue Mar 10 13:46:54 UTC 2015


Hi list!

I'm trying to get peek/splice working with intercepted https connections.  
The final goal is to accept or reject connections based on the SNI info that  
we get from the first peek. So first, I would like to be able to do  
peek/splice on all requests, and then later I can use an external acl to  
block some of them.

I'm having trouble getting the first step to work. My peek/splice config  
works when I use lynx as a browser, but not (well) with firefox or chrome.  
The latter two sometimes return a result, but often don't. When this happens  
I get diverse errors in the cache log like:

  Error negotiating SSL on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
  Error negotiating SSL on FD 41: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)
  Error negotiating SSL on FD 31: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)

The relevant portions of squid.conf:

  https_port 192.168.13.1:3130 intercept ssl-bump options=ALL cert=/etc/ssl/certs/server.pem

  acl step1 at_step SslBump1
  acl step2 at_step SslBump2
  acl step3 at_step SslBump3

  ssl_bump peek step1
  ssl_bump peek step2
  ssl_bump splice all

  sslproxy_cert_error allow all
  sslproxy_flags DONT_VERIFY_PEER

I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. Traffic  
is redirected from port 443 top 3130 with iptables.

Any help would be really appreciated.

Thanks a lot,

Roel


More information about the squid-users mailing list