[squid-users] HTTPS Settings
John Refwe
johnrefwe at mail.com
Fri Dec 14 04:39:48 UTC 2018
Hi,
I am writing about assistance with my SSL bump settings.
My squid conf (this is a simple version I'm using to test this issue) looks as follows:
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
http_access allow all
sslcrtd_children 2 startup=2 idle=1
http_port 3129 ssl-bump generate-host-certificates=on cert=/home/Guyfer/ssl_bump.pem options=NO_SSL_v2
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
There are a few websites, one of which is https://opts.ssa.gov where I get an error I'm having trouble understanding in the logs.
My browser shows a screen that reads: "Failed to establish a secure connection to 96.43.153.48. The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"... The cache logs contains the error "kid1| ERROR: negotiating TLS on FD 14: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)"
Now, if I were to modify the ssl bump settings to just be ssl_bump bump all (no peek), things seem to function fine. Am I running into a known limitation of server-first bumping? I have tried this on Squid 4.4 and Squid 4.3.
Thank you for any help, it is much appreciated.
All the best,
John
More information about the squid-users
mailing list