[squid-users] sahibinden.com fails with https bump

Amos Jeffries squid3 at treenet.co.nz
Tue May 10 11:29:50 UTC 2016 

On 10/05/2016 10:34 p.m., turgut kalfaoğlu wrote:
> Hello everyone..
> 
> My setup -- this is for speeding up the home ADSL..
> 
> https_port 3129 intercept ssl-bump \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>         cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
> sslproxy_cert_adapt setCommonName ssl::certDomainMismatch

Are you sure Squid is actually running this config file?

Where is the definition for this ACL you named "ssl::certDomainMismatch".

Note that name and type of ACL are different things. Name is a text
string usually assigned by you. Type is how and what it matches against
when used.


> sslproxy_cert_error allow all

TLS is security. Ignoring all security errors is not good.


> sslproxy_flags DONT_VERIFY_PEER

The above flag should not be used outside some very specific debugging
circumstances. It breaks the other config settings about what to do with
errors.


> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 20 startup=3 idle=1
> ssl_bump server-first  all
> 
> This works well for facebook, gmail, google, and probably others..
> But https://sahibinden.com , whatever they are doing fails - the page
> appears broken.
> I tried  broken_sites acl trick, did not help.
> 

Two reasons possibly for that:

1) Order is important.

The exact ordering of the ssl_bump rules will determine which gets
applied. If "server-first all" is listed about "non broken_sites". Then
the broken sites workaround will never be attempted.

2) you are intercepting traffic.

This means that the destination server name is not available to either
of server-first or "none" ations. All you have to work with is the
server raw-IP presented by TCP layer.

You need to upgrade to the peek-and-splice configuration actions for
server name and other TLS detail based workarounds to be useful.



> acl broken_sites ssl::server_name .sahibinden.com
> acl broken_sites ssl::server_name image5.sahibinden.com

This second entry should not be. The top entry overlaps.


> acl broken_sites ssl::server_name .shbdn.com
> ssl_bump none broken_sites
> 
> Does anyone have any ideas what else I can try?


Are you using the very latest 3.5.19 release?
If not please upgrade your Squid.
If you are please upgrade your config rules.

Amos

More information about the squid-users mailing list