[squid-users] About SSL peek-n-splice/bump configurations

[Alex Rousskov]

On 09/06/2018 07:48 PM, Julian Perconti wrote:

> With this peek-n-splice configuration:
> 
> ssl_bump peek step1 all
> ssl_bump peek step2 noBumpSites
> ssl_bump splice step3 noBumpSites
> ssl_bump bump
> 
> I got this error on spliced sites (a bank site):

> (104) Connection reset by peer (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: [No Error]

> 2018/09/06 22:40:36 kid1| ERROR: negotiating TLS on FD 44: error:00000000:lib(0):func(0):reason(0) (5/-1/104)

OK, so the origin server is resetting a connection when Squid talk to
it. Does that happen during the peek (step2), splice (step3), or bump
(step3) rule?

One way to answer that question is to post an ALL,9 log of the isolated
failing transaction for a developer to tell you what is going on.

Another way is to replace a suspected rule with, say, an "ssl_bump
terminate all" rule and see if anything changes (going from the last
suspected rule up towards the first one until something does change).

There are other ways as well, of course.


> But if i change the ssl bump(s) directive to:
> 
> ssl_bump peek step1
> ssl_bump splice noBumpSites
> ssl_bump bump all
> 
> I can Access to spliced site and no any kind of errors in access.log
> 
> Any idea?

My working theory is that your noBumpSites (i.e. ssl::server_name_regex)
ACL matches at step2 but does not match at step3. That is just a guess,
and, even if it is correct, it does not fully explain what Squid does in
that case and why the peer resets the connection.


HTH,

Alex.