[squid-users] 2 way SSL on a non standard SSL Port

Bart Spedden bart.spedden at 3sharecorp.com
Mon Nov 30 23:37:39 UTC 2015 

Good idea Anthony.

Here's what I found.

On the squid server when I use the following command to monitor a call to
https://www.google.com

tcpdump -i eth0 -vv 'port 443'

I get the following:

17:32:56.373772 IP (tos 0x0, ttl 64, id 33502, offset 0, flags [DF], proto
TCP (6), length 60)

    d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [S], cksum
0x62f0 (correct), seq 3198653455, win 14600, options [mss 1460,sackOK,TS
val 530978513 ecr 0,nop,wscale 7], length 0

17:32:56.390214 IP (tos 0x0, ttl 42, id 42485, offset 0, flags [none],
proto TCP (6), length 60)

    qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [S.], cksum
0x40d0 (correct), seq 558417168, ack 3198653456, win 42540, options [mss
1380,nop,nop,TS val 953915655 ecr 530978513,nop,wscale 7], length 0

17:32:56.390423 IP (tos 0x0, ttl 64, id 33503, offset 0, flags [DF], proto
TCP (6), length 52)

    d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [.], cksum
0x11f5 (correct), seq 1, ack 1, win 115, options [nop,nop,TS val 530978529
ecr 953915655], length 0

17:32:56.605977 IP (tos 0x0, ttl 64, id 33504, offset 0, flags [DF], proto
TCP (6), length 329)

    d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [P.], cksum
0x6c5a (incorrect -> 0xc57a), seq 1:278, ack 1, win 115, options
[nop,nop,TS val 530978745 ecr 953915655], length 277

17:32:56.622191 IP (tos 0x0, ttl 42, id 42578, offset 0, flags [none],
proto TCP (6), length 52)

    qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [.], cksum
0x0e3e (correct), seq 1, ack 278, win 341, options [nop,nop,TS val
953915887 ecr 530978745], length 0

but when I monitor on the non-stand https port (8184) that I'm trying to
connect to I do not see any traffic at all.  So this leads me to believe
that squid is not actually trying to make the call on the client's behalf.

So I'm feeling a bit lost.

I've upgraded to 3.5.11.

The only change I made to the default /etc/squid/squid.conf is to add the
two non stand https ports that I need to connect to via:

acl SSL_ports port 443 8184 8185

Is there anyway to get more logging out of squid?  I tried adding
debug_option ALL to the squid.conf but didn't see any more logging.

On Mon, Nov 30, 2015 at 10:59 AM, Antony Stone <
Antony.Stone at squid.open.source.it> wrote:

> On Monday 30 November 2015 at 18:53:54, Bart Spedden wrote:
>
> > I can successfully connect as long as I don't use squid for either 1 way
> or
> > 2 way TLS connections. I've also successfully connect via curl. So, I
> feel
> > like the site's certs are working well. I could be totally off base here
> > but my interpretation of the the 503 (service unavailable) is that squid
> is
> > timing out on tls handshake? But what is weird is that when using squid I
> > can successfully connect to google using https. So, that is what makes me
> > wonder if it has something to do with the non-standard https port?
>
> If it's a timeout, you should be able to see this with a standard
> wireshark /
> tcpdump packet capture (no SSL inspection necessary) on your
> external-facing
> router (or anywhere else which is a common path both when going direct from
> the client, and via Squid).
>
> Comparing the two (even though you can't decode the content of the packets)
> may well give a clue as to what's going on differently between the two
> types of
> connection.
>
>
> Antony.
>
> --
> Users don't know what they want until they see what they get.
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Bart Spedden  |  Senior Developer
+1.720.210.7041  |
*bart.spedden at 3sharecorp.com <bart.spedden at 3sharecorp.com>*
3 | S H A R E  |  Adobe Digital Marketing Experts  |  An AdobeĀ®  Business
Plus Level Solution PartnerConsulting  |  Training  |  Remote Operations
Management
<http://www.3sharecorp.com/en/services/rom.html>
<http://www.3sharecorp.com/en/services/rom.html>
<http://www.3sharecorp.com/en/services/rom.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151130/2d2a87f0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rom-email-sig4_600x100.png
Type: image/png
Size: 16361 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151130/2d2a87f0/attachment-0001.png>

More information about the squid-users mailing list