[squid-users] Facing issue in Internet explorer

Amos Jeffries squid3 at treenet.co.nz
Fri Feb 12 09:55:40 UTC 2016 

On 12/02/2016 9:07 p.m., Prasad Desai wrote:
> Hi,
> 
> I have successfully configured SSLBump Peek and Splice in my transparent
> proxy and it is working as expected except in Internet explorer.
> 
> For example, in IE version 8, getting an error given below,
> 

A very out of date version. Are you able to upgrade that?

When the problem only appears with one particular other piece of
software its usually not Squid.


> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: error:1409F07F:SSL
> routines:SSL3_WRITE_PENDING:bad write retry
> 
> Below is squid.conf,
> 
> visible_hostname mysite.com
> httpd_suppress_version_string on
> via off
> forwarded_for delete
> deny_info http://192.168.3.33/error.html blockfiles

"blockfiles" does not exist. It is a bit surprising your squid.cofn
actually loads with this invalid line.

> acl lan src 192.168.4.0/24 192.168.6.0/24 192.168.3.0/24
> http_access allow lan

Bad idea to do this here. Put it later, just above the "http_access deny
all" line.

<snip>
> strip_query_terms off
> http_access allow manager localhost
> http_access deny manager

Best Current Practice is also to place these below the CONNECT rule. If
you also shuffle the first line to have "localhost manager" it will
further increase the speed.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> sslproxy_flags DONT_VERIFY_PEER DONT_VERIFY_DOMAIN
> acl disable-ssl-bump ssl::server_name "/etc/squid/no-ssl-bump.acl"
> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow BadSite

> acl step1 at_step SSLBump1
> acl step2 at_step SSLBump2
> acl step3 at_step SSLBump3
> ssl_bump peek step1 all
> ssl_bump splice step2 disable-ssl-bump
> ssl_bump stare step2 all
> ssl_bump splice step3 disable-ssl-bump
> ssl_bump bump step3 all

I'd write that as:

 ssl_bump peek step1
 ssl_bump splice disable-ssl-bump
 ssl_bump stare step2
 ssl_bump bump all


> http_port 3130
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myca.pem
> key=/etc/squid/ssl_cert/myca.pem
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
> sslcrtd_children 8 startup=1 idle=1
<snip>

> Any inputs to resolve this error will be much appreciated.
> 


Also, what is the output of "squid -v" ?


Amos

More information about the squid-users mailing list