[squid-users] 2 way SSL on a non standard SSL Port
bart.spedden at 3sharecorp.com
Mon Nov 30 23:37:39 UTC 2015
Good idea Anthony.
Here's what I found.
On the squid server when I use the following command to monitor a call to
tcpdump -i eth0 -vv 'port 443'
I get the following:
17:32:56.373772 IP (tos 0x0, ttl 64, id 33502, offset 0, flags [DF], proto
TCP (6), length 60)
d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [S], cksum
0x62f0 (correct), seq 3198653455, win 14600, options [mss 1460,sackOK,TS
val 530978513 ecr 0,nop,wscale 7], length 0
17:32:56.390214 IP (tos 0x0, ttl 42, id 42485, offset 0, flags [none],
proto TCP (6), length 60)
qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [S.], cksum
0x40d0 (correct), seq 558417168, ack 3198653456, win 42540, options [mss
1380,nop,nop,TS val 953915655 ecr 530978513,nop,wscale 7], length 0
17:32:56.390423 IP (tos 0x0, ttl 64, id 33503, offset 0, flags [DF], proto
TCP (6), length 52)
d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [.], cksum
0x11f5 (correct), seq 1, ack 1, win 115, options [nop,nop,TS val 530978529
ecr 953915655], length 0
17:32:56.605977 IP (tos 0x0, ttl 64, id 33504, offset 0, flags [DF], proto
TCP (6), length 329)
d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [P.], cksum
0x6c5a (incorrect -> 0xc57a), seq 1:278, ack 1, win 115, options
[nop,nop,TS val 530978745 ecr 953915655], length 277
17:32:56.622191 IP (tos 0x0, ttl 42, id 42578, offset 0, flags [none],
proto TCP (6), length 52)
qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [.], cksum
0x0e3e (correct), seq 1, ack 278, win 341, options [nop,nop,TS val
953915887 ecr 530978745], length 0
but when I monitor on the non-stand https port (8184) that I'm trying to
connect to I do not see any traffic at all. So this leads me to believe
that squid is not actually trying to make the call on the client's behalf.
So I'm feeling a bit lost.
I've upgraded to 3.5.11.
The only change I made to the default /etc/squid/squid.conf is to add the
two non stand https ports that I need to connect to via:
acl SSL_ports port 443 8184 8185
Is there anyway to get more logging out of squid? I tried adding
debug_option ALL to the squid.conf but didn't see any more logging.
On Mon, Nov 30, 2015 at 10:59 AM, Antony Stone <
Antony.Stone at squid.open.source.it> wrote:
> On Monday 30 November 2015 at 18:53:54, Bart Spedden wrote:
> > I can successfully connect as long as I don't use squid for either 1 way
> > 2 way TLS connections. I've also successfully connect via curl. So, I
> > like the site's certs are working well. I could be totally off base here
> > but my interpretation of the the 503 (service unavailable) is that squid
> > timing out on tls handshake? But what is weird is that when using squid I
> > can successfully connect to google using https. So, that is what makes me
> > wonder if it has something to do with the non-standard https port?
> If it's a timeout, you should be able to see this with a standard
> wireshark /
> tcpdump packet capture (no SSL inspection necessary) on your
> router (or anywhere else which is a common path both when going direct from
> the client, and via Squid).
> Comparing the two (even though you can't decode the content of the packets)
> may well give a clue as to what's going on differently between the two
> types of
> Users don't know what they want until they see what they get.
> Please reply to the
> please *don't* CC
> squid-users mailing list
> squid-users at lists.squid-cache.org
Bart Spedden | Senior Developer
*bart.spedden at 3sharecorp.com <bart.spedden at 3sharecorp.com>*
3 | S H A R E | Adobe Digital Marketing Experts | An Adobe® Business
Plus Level Solution PartnerConsulting | Training | Remote Operations
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 16361 bytes
Desc: not available
More information about the squid-users