[squid-users] ALPN, HTTP/2 and sslbump

brianbergstrom brian.bergstrom at sportsengine.com
Wed Jan 3 22:30:29 UTC 2018

I am using Squid 3.5.27 and recently started having issues when I upgraded
from openssl 1.0.1 to 1.0.2 which I believe introduced support for h2/ALPN. 
I have narrowed down the issue to a request that fails but succeeds with
curl's --no-alpn flag.  

Here is the error message from Squid for the failure, though the request
ends up timing out with an EOF error.
Handshake with SSL server failed: error:140920E3:SSL
routines:ssl3_get_server_hello:parse tlsext

A tcpdump of the failure when curl sends ALPN which contains http/1.1 and h2
as its client protocols, of which the Server Hello replies and chooses h2.

A tcpdump of successful request with the --no-alpn flag verifies that no
ALPN TLS extension data is present.

If I understand the docs and this thread correctly, Squid should be removing
h2 from the ALPN in the Client Hello since Squid does not support it.  But
it appears to be passing it through and failing when the server chooses it.

The relavent lines from my squid.conf:
http_port 3130 ssl-bump cert=/etc/squid/squid.pem
follow_x_forwarded_for allow localnet

cache deny all

acl SSL_Port port 443
acl Proxy_port port 3130
http_access allow Proxy_port
http_access allow SSL_Port

acl allowed_http_sites dstdom_regex '/etc/squid/trusted_http_sites.lst'
acl allowed_https_sites ssl::server_name_regex
acl allowed_https_ips dst '/etc/squid/trusted_https_ips.lst'

http_access allow allowed_http_sites

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1
ssl_bump peek step2 allowed_https_sites
ssl_bump peek step2 allowed_https_ips
ssl_bump splice step3 allowed_https_sites
ssl_bump splice step3 allowed_https_ips
ssl_bump terminate step2 all

http_access deny all

Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list