[squid-users] HTTPS bump doesn't work with websites that require SNI
Yiğitcan UÇUM
yucum at amonra.com.tr
Mon Jul 11 07:16:53 UTC 2016
Hello there,
Thanks for your your interest. The versions we use are:
Squid Cache: Version 3.4.10
OpenSSL 1.0.2h 3 May 2016
----------
Configuration we use for https bumping:
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
On Sun, Jul 10, 2016 at 5:12 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:
> Hey,
>
>
>
> What version of squid is provided on pfsense and what version are you
> using?
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> *From:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org] *On
> Behalf Of *Yi?itcan U?UM
> *Sent:* Sunday, July 10, 2016 3:49 PM
> *To:* squid-users at lists.squid-cache.org
> *Subject:* [squid-users] HTTPS bump doesn't work with websites that
> require SNI
>
>
>
> Hello there. We're using pfsense and squid-proxy to bump https connections
> between some of our machines and www. The setup seems to works fine for
> most of the https sites, but it doesn't work for the others.
>
>
>
> One example to this sites is "docs.docker.com". Even though we can
> connect to "docker.com", we can't connect to "docs.docker.com".
>
>
>
> The error we get is:
>
> (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Handshake with SSL server failed: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>
> Upon further investigation we found out that this happens because some
> sites require SNI to supply correct SSL certificate.
>
> You can test this out with:
>
> -------------------------------
>
> openssl s_client -connect docs.docker.com:443 -> ERROR
>
> 140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:744:
>
> -------------------------------
>
> openssl s_client -connect docs.docker.com:443 -servername docs.docker.com ->
> Works
>
> --------------------------------
>
> Squid seems to make https request without the SNI. How can we configure
> Squid to use SNI? Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160711/a520982a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11298 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160711/a520982a/attachment-0001.png>
More information about the squid-users
mailing list