[squid-users] cannot intercept "https://www.elastic.co/"

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 15 13:26:56 UTC 2016 

On 15/02/2016 9:15 p.m., Murat K wrote:
> Hi,I am running squid-3.3.8 (I also tried with Squid 3.5.0.4) on a centos 6.7 machine with openssl-1.0.1e-30.el6.8.x86_64,

The Squid versions numbered 3.X.0.Z are beta releases from over a year ago.

Please use a stable version of 3.5. Preferrably 3.5.10 - 3.5.12 right
now. Or 3.5.14 when its available.



> I have no problem with most of the ssl sites however when I try to
connect to "https://www.elastic.co/" browsers cannot render the whole
page (tried on windows 8 with chrome, ubuntu mozzilla)
> I get below error from cache.log:2016/02/12 17:39:25 kid2| Error negotiating SSL on FD 57: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
> And below errors from the browser:ReferenceError: jQuery is not defined}(jQuery));GET https://813-mam-392.mktoresp.com/webevents/visitW...chPc=https%3A&_mchVr=151&_mchHa=&_mchRe=&_mchQp= 200 Abortedmunchkin.js (line 10)ReferenceError: $ is not defined$(document).ready(function(){

The JavaScript in whatever page is being displayed is badly broken.

> my squid config is like that:
> http_port 0.0.0.0:8080 ssl-bump cert=/var/proxy/https_cert generate-host-certificates=onhttp_port 0.0.0.0:18080 intercept ssl-bump cert=/var/proxy/https_cert generate-host-certificates=onhttps_port 0.0.0.0:18081 intercept ssl-bump cert=/var/proxy/https_cert generate-host-certificates=on
> acl no_ssl_interception dstdom_regex  "/etc/squid/https_exceptions"ssl_bump none localhostssl_bump none no_ssl_interception ssl_bump server-first allacl https_proto proto httpsalways_direct allow https_protosslproxy_cert_error allow allsslproxy_flags DONT_VERIFY_PEER
> what can cause this?And another problem, I cannot bypass some sites defined in the "/etc/squid/https_exceptions" file from https interception like "https://api.nuget.org/v3/ ", what can cause this?
> thanks a lot,Murat

There are a few issues in that config. But you need to upgrade to a
current Squid before its worth fixing those.

Amos

More information about the squid-users mailing list