[squid-users] HTTPS Settings

John Refwe johnrefwe at mail.com
Fri Dec 14 04:39:48 UTC 2018


I am writing about assistance with my SSL bump settings.

My squid conf (this is a simple version I'm using to test this issue) looks as follows:
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

http_access allow all
sslcrtd_children 2 startup=2 idle=1
http_port 3129 ssl-bump generate-host-certificates=on cert=/home/Guyfer/ssl_bump.pem options=NO_SSL_v2 

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

There are a few websites, one of which is https://opts.ssa.gov where I get an error I'm having trouble understanding in the logs.

My browser shows a screen that reads: "Failed to establish a secure connection to The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"... The cache logs contains the error "kid1| ERROR: negotiating TLS on FD 14: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)"

Now, if I were to modify the ssl bump settings to just be ssl_bump bump all (no peek), things seem to function fine. Am I running into a known limitation of server-first bumping? I have tried this on Squid 4.4 and Squid 4.3.

Thank you for any help, it is much appreciated.

All the best,

More information about the squid-users mailing list