[squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol
David Touzeau
david at articatech.com
Tue Jan 24 10:42:03 UTC 2017
This is a different log trace from David's.
Here Squid is setting up a TUNNEL to the clients original dst-IP,
successfully. Any TLS funky stuff going on for this transaction is done
directly between server and client. Squid's only involvement is to peek at
the Hello messages and record them for its log.
But some of those details (ie the agreed cipher) come from the ServerHello
on successful TLS setup. So I think no errors happened in that log entries
transaction.
Amos
______________________________________________________________________________________________
Hi tried with
acl nossl dst 104.16.41.2
acl nossl2 dstdomain -i .mozilla.org
ssl_bump splice nossl
ssl_bump splice nossl2
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
1485252508.663 2 192.168.1.236 TAG_NONE/403 6263 CONNECT
104.16.41.2:443 - HIER_NONE/- text/html
1485252509.385 2 192.168.1.236 TAG_NONE/403 6263 CONNECT
104.16.41.2:443 - HIER_NONE/- text/html
Using squid port 3128 without any bump allow accessing to mozilla
So if there are any acl it will be blocked on both.
Return back to list with a full debug mode..
More information about the squid-users
mailing list