[squid-users] Working peek/splice no longer functioning on some sites
James Lay
jlay at slave-tothe-box.net
Sat Nov 25 11:52:29 UTC 2017
On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
> On 25/11/17 08:30, James Lay wrote:
> >
> > Topic says it...this setup has been working well for a long time,
> > but
> > now there are some sites that are failing the TLS handshake.
> > Here's my
> > setup:
> >
> > acl localnet src 192.168.1.0/24
> > acl SSL_ports port 443
> > acl Safe_ports port 80
> > acl Safe_ports port 443
> > acl CONNECT method CONNECT
> > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_Ports
> > http_access allow SSL_ports
> > http_access allow allowed_http_sites
> > http_access deny all
> >
> >
> > ssl_bump peek all
> > acl allowed_https_sites ssl::server_name_regex
> > "/opt/etc/squid/http_url.txt"
> > ssl_bump splice allowed_https_sites
> > ssl_bump terminate all
>
> Because you have "peek all" being performed the transaction MUST
> pass
> your regex patterns with both TLS SNI from the client *and* the
> server
> certificate SubjectName values. Either one not matching will perform
> that "terminate all" on the TLS handshake.
>
Thanks Amos...do you have a suggestion for changing this to match one
or the other instead of both?
James
> >
> >
> > sslproxy_cert_error allow all
> > sslproxy_capath /etc/ssl/certs
> > sslproxy_flags DONT_VERIFY_PEER
> > #sslproxy_options ALL
> >
>
>
>
> Also, please remove these "*_error allow all" and DONT_VERIFY_PEER lines
> from your config. They are actively harmful.
>
>
> >
> >
> > sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> > sslcrtd_children 5
> >
> > http_port 3128 intercept
> > https_port 3129 intercept ssl-bump
> > cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
> > cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
> > key=/opt/etc/squid/certs/sslsplit_ca_key.pem
> >
>
>
> NP: when cert= and key= are in the same file you do not need to specify
> key=.
>
>
> >
> > generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
> >
> >
>
>
> It is also best to add "sslflags=NO_DEFAULT_CA" to these ports for
> Squid-3. That will save a lot of useless memory overheads.
>
>
>
> >
> >
> > logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
> > %ssl::>cert_subject %>Hs %<st %Ss:%Sh
> >
> >
>
> ...
>
> >
> > For example, the file http_url.txt contains:
> >
> > account\.elderscrollsonline\.com
> > \.elderscrollsonline\.com
> > elderscrollsonline\.com
> >
> >
> > After doing some reading it looks like this is http2 traffic:
> >
https://wiki.squid-cache.org/Features/HTTP2.
> > .
> >
> >
>
>
> There is no sign of HTTP/2 in that PCAP trace. There is SPDY/3 and
> HTTP/1.1 being offered by the client.
>
>
> If that is from the client to Squid, then please check the matching
> Squid->server for what is going on there.
>
>
>
> If the problem remains please try Squid-4. It has more advanced TLS
> capabilities than Squid-3.
>
> Amos
> _______________________________________________
> squid-users mailing list
>
squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171125/68cd331e/attachment-0001.html>
More information about the squid-users
mailing list