[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Jason Haar Jason_Haar at trimble.com
Fri Oct 2 18:08:38 UTC 2015 

On 02/10/15 23:43, Amos Jeffries wrote:
> I'm suspecting the order of these options screws things up. Or maybe
> just the use of "ALL". sslproxy_options NO_SSLv2:NO_SSLv3:ALL

...but I don't even use sslproxy_options.... There have been at least 3
people saying that bump doesn't work with that site - we all won't have
identical configs.

Chrome reports "ERR_CONNECTION_CLOSED" and Firefox "The connection to
banking.postbank.de was interrupted while the page was loading." - that
doesn't even sound cert-related - more TCP related (between client and
squid). Remember: the site works fine when squid is set to splice that site

I have compared the fake cert generated by squid against the real one
and there's obvious differences (using "openssl s_client -connect
banking.postbank.de:443 -servername banking.postbank.de|openssl x509
-noout -text"). References to "Certificate Policies" and "Certificate
Transparency" are present in the real cert and there's no equivalent in
the Fake cert. How that could trigger a TCP reset is beyond me? I've
also cranked up logging and there was nothing overt showing an issue

Real:

             X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.6
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa
           X509v3 Basic Constraints:
                CA:FALSE
           1.3.6.1.4.1.11129.2.4.2:
                ...k.i.w.......X......gp
.....N.........H0F.!......<
...u.V.../.......D.>.Fv....\....U.......N...J.....F0D.
.W!....z...@'..n...C.W ....m.K/..
....S.R,...K....T....u..)e.......w.h....d..:...(.L.qQ]g..D.
g..OO.....N.........H0F.!.....~F.n#
Y..&^.v.....x.+........!..n..J at 9.[.....J.C.1.L5.(.%%..9..
    Signature Algorithm: sha256WithRSAEncryption


Fake:

            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption




-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list