[squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com

Marcus Kool marcus.kool at urlfilterdb.com
Tue May 15 13:32:27 UTC 2018 

pcmag.com also does not load here, although my config parameters are slightly different.
The certificate is indeed huge...
Do you have
    ERROR: negotiating TLS on FD NNN: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
or other errors in cache.log ?

Marcus

On 15/05/18 10:15, Ahmad, Sarfaraz wrote:
> Hi Folks,
> 
> I am using Squid as a HTTPS interception proxy. When I try to access https://www.pcmag.com , (which is supposed to be bumped in my environment ), I get
> 
> “unable to forward request at this time” even though the website is perfectly accessible outside of the proxy.
> 
> A packet capture suggests that after Client Hello -> ServerHello -> ServerCertificate,Server Key Exchange, ServerHelloDone, the remote server just sends a FIN,ACK packet, killing off the TCP 
> connection. Nothing else looks out of the ordinary.  ( Without squid, firefox successfully opens the site and the negotiation is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS1.2)
> 
> The only weird thing that stands out about that website is that the list of SubjectAlternateNames is huge. Could this be a possible bug with Squid ?
> 
> My TLS options in Squid.conf :
> 
> tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt \
> 
>      options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
> 
>      cipher=HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EXPORT:!DES:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> 
> https_port :
> 
> https_port 23129 intercept ssl-bump \
> 
>      generate-host-certificates=on \
> 
>      dynamic_cert_mem_cache_size=4MB \
> 
>      cert=/etc/squid/InternetCA/InternetCA.pem \
> 
>      key=/etc/squid/InternetCA/InternetCA.key \
> 
>      tls-cafile=/etc/squid/InternetCA/InternetCA.chain.pem \
> 
>      capath=/etc/pki/tls/certs/certs.d \
> 
>      options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \
> 
>      tls-dh=prime256v1:/etc/squid/dhparam.pem
> 
> Please advise.
> 
> Regards,
> 
> Sarfaraz
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list