[squid-users] HTTPS bump doesn't work with websites that require SNI

Alex Rousskov rousskov at measurement-factory.com
Mon Jul 11 14:43:37 UTC 2016


On 07/11/2016 01:16 AM, Yiğitcan UÇUM wrote:

> Squid Cache: Version 3.4.10

> ssl_bump none localhost
> ssl_bump server-first all
> 
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER


Your Squid version does not support SslBump well. Please upgrade to the
latest Squid v3.5 or, if you prefer beta software with arguably better
SslBump support, v4.0.

Your squid.conf prohibits SNI forwarding. Together with the Squid
upgrade, please review modern SslBump configurations that use such
actions as "splice" and "bump":
http://wiki.squid-cache.org/Features/SslPeekAndSplice

Finally, ignoring certificate validation errors is rarely a good idea.
You may want to review that part of your configuration as well.


HTH,

Alex.


> On Sun, Jul 10, 2016 at 5:12 PM, Eliezer Croitoru wrote:
> 
>     Hey,____
> 
>     __ __
> 
>     What version of squid is provided on pfsense and what version are
>     you using?____
> 
>     __ __
> 
>     Eliezer____
> 
>     __ __
> 
>     ----____
> 
>     Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
>     Linux System Administrator
>     Mobile: +972-5-28704261
>     Email: eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il>____
> 
>     ____
> 
>     __ __
> 
>     *From:*squid-users [mailto:squid-users-bounces at lists.squid-cache.org
>     <mailto:squid-users-bounces at lists.squid-cache.org>] *On Behalf Of
>     *Yi?itcan U?UM
>     *Sent:* Sunday, July 10, 2016 3:49 PM
>     *To:* squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     *Subject:* [squid-users] HTTPS bump doesn't work with websites that
>     require SNI____
> 
>     __ __
> 
>     Hello there. We're using pfsense and squid-proxy to bump https
>     connections between some of our machines and www. The setup seems to
>     works fine for most of the https sites, but it doesn't work for the
>     others.____
> 
>     __ __
> 
>     One example to this sites is "docs.docker.com
>     <http://docs.docker.com/>". Even though we can connect to
>     "docker.com <http://docker.com/>", we can't connect to
>     "docs.docker.com <http://docs.docker.com/>".____
> 
>     __ __
> 
>     The error we get is:____
> 
>     (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)____
> 
>     Handshake with SSL server failed: error:14077410:SSL
>     routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure____
> 
>     Upon further investigation we found out that this happens because
>     some sites require SNI to supply correct SSL certificate.____
> 
>     You can test this out with:____
> 
>     -------------------------------____
> 
>     openssl s_client -connect docs.docker.com:443
>     <http://docs.docker.com:443/> -> ERROR____
> 
>     140612823746464:error:14077410:SSL
>     routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>     failure:s23_clnt.c:744:____
> 
>     -------------------------------____
> 
>     openssl s_client -connect docs.docker.com:443
>     <http://docs.docker.com:443/> -servername docs.docker.com
>     <http://docs.docker.com/> -> Works____
> 
>     --------------------------------____
> 
>     Squid seems to make https request without the SNI. How can we
>     configure Squid to use SNI? Thanks.____
> 
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list