[squid-users] peek/splice working with lynx but not with firefox or chrome

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 10 14:08:55 UTC 2015

On 11/03/2015 2:46 a.m., Roel van Meer wrote:
> Hi list!
> I'm trying to get peek/splice working with intercepted https
> connections. The final goal is to accept or reject connections based on
> the SNI info that we get from the first peek. So first, I would like to
> be able to do peek/splice on all requests, and then later I can use an
> external acl to block some of them.
> I'm having trouble getting the first step to work. My peek/splice config
> works when I use lynx as a browser, but not (well) with firefox or
> chrome. The latter two sometimes return a result, but often don't. When
> this happens I get diverse errors in the cache log like:
>  Error negotiating SSL on FD 20: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
>  Error negotiating SSL on FD 41: error:14094085:SSL
> routines:SSL3_READ_BYTES:ccs received early (1/-1/0)
>  Error negotiating SSL on FD 31: error:1407743E:SSL
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
> The relevant portions of squid.conf:
>  https_port intercept ssl-bump options=ALL
> cert=/etc/ssl/certs/server.pem

With "options=ALL" you have enabled all features in the OpenSSL library
including features which can cause the popular modern browsers to view
Squid as a dangerously insecure server.

>  acl step1 at_step SslBump1
>  acl step2 at_step SslBump2
>  acl step3 at_step SslBump3
>  ssl_bump peek step1
>  ssl_bump peek step2
>  ssl_bump splice all

Theres nothing in the above which uses SNI. All that does is cause Squid
to expolicitly look at the TLS handshake that is going on. Then to
splice the two connections together a if it weren't there.

>  sslproxy_cert_error allow all
>  sslproxy_flags DONT_VERIFY_PEER

Then you are explicily disabling the checks to ensure the connections
Squid uses to send the clients private data to servers are secure.

> I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.
> Traffic is redirected from port 443 top 3130 with iptables.

... and with an older version of OpenSSL missing many of the last few
years worth of TLS crypto features. IIRC the library releases are now up
to 1.1.* or something. Its best to keep that kind of thing operating the
latest versions.

It may sound silly but, do all those browsers even support SNI on your
OS with the crypto libraries they use?


More information about the squid-users mailing list