[squid-users] HTTPS bump doesn't work with websites that require SNI
Eliezer Croitoru
eliezer at ngtech.co.il
Sun Jul 10 14:12:36 UTC 2016
Hey,
What version of squid is provided on pfsense and what version are you using?
Eliezer
----
<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Yi?itcan U?UM
Sent: Sunday, July 10, 2016 3:49 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] HTTPS bump doesn't work with websites that require SNI
Hello there. We're using pfsense and squid-proxy to bump https connections between some of our machines and www. The setup seems to works fine for most of the https sites, but it doesn't work for the others.
One example to this sites is "docs.docker.com <http://docs.docker.com/> ". Even though we can connect to "docker.com <http://docker.com/> ", we can't connect to "docs.docker.com <http://docs.docker.com/> ".
The error we get is:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Upon further investigation we found out that this happens because some sites require SNI to supply correct SSL certificate.
You can test this out with:
-------------------------------
openssl s_client -connect docs.docker.com:443 <http://docs.docker.com:443/> -> ERROR
140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
-------------------------------
openssl s_client -connect docs.docker.com:443 <http://docs.docker.com:443/> -servername docs.docker.com <http://docs.docker.com/> -> Works
--------------------------------
Squid seems to make https request without the SNI. How can we configure Squid to use SNI? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160710/235f2362/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11298 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160710/235f2362/attachment-0001.png>
More information about the squid-users
mailing list