[squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

[David Touzeau]

-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de David Touzeau
Envoyé : mardi 24 janvier 2017 11:42
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol


This is a different log trace from David's.

Here Squid is setting up a TUNNEL to the clients original dst-IP, successfully. Any TLS funky stuff going on for this transaction is done directly between server and client. Squid's only involvement is to peek at the Hello messages and record them for its log.

But some of those details (ie the agreed cipher) come from the ServerHello on successful TLS setup. So I think no errors happened in that log entries transaction.

Amos

______________________________________________________________________________________________


Hi tried with

acl nossl dst 104.16.41.2
acl nossl2 dstdomain -i .mozilla.org
ssl_bump splice nossl
ssl_bump splice nossl2
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all

1485252508.663      2 192.168.1.236 TAG_NONE/403 6263 CONNECT 
104.16.41.2:443 - HIER_NONE/- text/html
1485252509.385      2 192.168.1.236 TAG_NONE/403 6263 CONNECT 
104.16.41.2:443 - HIER_NONE/- text/html

Using squid port 3128 without any bump allow accessing to mozilla 

So if there are any acl it will be blocked on both.

Return back to list with a full debug mode..


_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



Using acl nossl ssl::server_name working like a charme.
Also after restarting C-ICAP everything is fine.
Thanks everyone 

* * * TOPIC CLOSED * * *