[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Dieter Bloms
squid at bloms.de
Wed Sep 16 15:16:18 UTC 2015
Hello Antony,
On Wed, Sep 16, Antony Stone wrote:
> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
>
> > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
> > accessible via HTTPS and sslbump enable.
> > But I can't get any access to the destination
> > https://banking.postbank.de, which is accessible with 3.4.13.
> > I use the same config for both squid versions.
>
> 1. What is that configuration (squid.conf without comments or blank lines,
> please)?
the relevant part ist:
--snip--
acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
ssl_bump none nodecryptdomains
ssl_bump server-first all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2:NO_SSLv3:ALL
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
--snip--
the destination banking.postbank.de is not listed in the /etc/squid/nodecrypt.domains file
with squid-3.4.13 the logs look like:
--snip--
1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET https://banking.postbank.de/rai/rai/image/pb-logo.png - HIER_DIRECT/62.153.105.15 image/png
1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - HIER_DIRECT/62.153.105.15 image/png
1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET https://banking.postbank.de/rai/rai/css/image/fld-input.png - HIER_DIRECT/62.153.105.15 image/png
1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - HIER_DIRECT/62.153.105.15 image/png
1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - HIER_DIRECT/62.153.105.15 application/x-font-woff
1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - HIER_DIRECT/62.153.105.15 image/png
1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET https://banking.postbank.de/rai/rai/css/image/action-links.png - HIER_DIRECT/62.153.105.15 image/png
--snip--
with squid 3.5.8 the logs look like:
--snip--
1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
--snip--
> 2. What differences do you get in the log files between the two versions when
> you try to access that site?
>
> This information may give us something to go on in helping with your problem.
>
>
> Regards,
>
>
> Antony.
>
> --
> "Black holes are where God divided by zero."
>
> - Steven Wright
>
> Please reply to the list;
> please *don't* CC me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
--
Gruß
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
More information about the squid-users
mailing list