[squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

George Sheng g2011828 at hotmail.com
Sun Dec 8 06:53:24 UTC 2019


I’m new to this group. I just setup a squid ver 4.5 on my ubuntu machine. I configured this proxy to receive
https packets from another device on the same LAN, and modified the iptables to redirect the port 443 packets
to the squid proxy port 3130.

I can see the client https packet has been received and the proxy is ready to do the ‘bump’, the fd to the client
connection is 13:

2019/12/07 20:48:59.586 kid1| 85,4| client_side_request.cc<http://client_side_request.cc>(1510) processRequest: CONNECT x.y.43.31:443
2019/12/07 20:48:59.586 kid1| 85,5| client_side_request.cc<http://client_side_request.cc>(1597) sslBumpStart: Confirming peek-bumped CONNECT tunnel on FD local=x.y..31:443 remote= FD 13 flags=33

From the debug I can also see the proxy  connects towards the remote
server, and proxy has negotiated fine with the server. the proxy receives 3 certificates from the server,
and verification was fine to the server. But when the proxy trying to proceed with client negotiation, I got this error:

2019/12/07 20:48:59.760 kid1| 33,5| client_side.cc<http://client_side.cc>(2859) sslCrtdHandleReply: Certificate for x.y.43.31 was successfully recieved from ssl_crtd
2019/12/07 20:48:59.760 kid1| 33,5| client_side.cc<http://client_side.cc>(3335) doPeekAndSpliceStep: PeekAndSplice mode, proceed with client negotiation. Currrent state:SSLv2/v3 read client hello A
2019/12/07 20:48:59.760 kid1| 5,5| ModEpoll.cc<http://ModEpoll.cc>(117) SetSelect: FD 13, type=2, handler=1, client_data=0x15beef8, timeout=0
2019/12/07 20:48:59.760 kid1| 84,5| helper.cc<http://helper.cc>(1247) GetFirstAvailable: GetFirstAvailable: Running servers 5
2019/12/07 20:48:59.760 kid1| 5,4| AsyncCall.cc<http://AsyncCall.cc>(26) AsyncCall: The AsyncCall helperHandleRead constructed, this=0x1a37c50 [call827]
2019/12/07 20:48:59.760 kid1| 5,5| Read.cc<http://Read.cc>(57) comm_read_base: comm_read, queueing read for local=[::] remote=[::] FD 10 flags=1; asynCall 0x1a37c50*1
2019/12/07 20:48:59.760 kid1| 5,5| ModEpoll.cc<http://ModEpoll.cc>(117) SetSelect: FD 10, type=1, handler=1, client_data=0x155cce8, timeout=0
2019/12/07 20:48:59.760 kid1| 5,4| AsyncCallQueue.cc<http://AsyncCallQueue.cc>(57) fireNext: leaving helperHandleRead(local=[::] remote=[::] FD 10 flags=1, data=0x157f9a8, size=3384, buf=0x157fbd0)
2019/12/07 20:48:59.760 kid1| 83,5| bio.cc<http://bio.cc>(612) squid_bio_ctrl: 0x1a5e140 6(0, 0x1a76c00)
2019/12/07 20:48:59.761 kid1| 83,5| Session.cc<http://Session.cc>(347) get_session_cb: Request to search for SSL_SESSION of len: 321019023443:419801955
2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc<http://MemMap.cc>(156) openForReading: trying to open slot for key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache]
2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc<http://MemMap.cc>(177) openForReadingAt: trying to open slot at 18 for reading in map [tls_session_cache]
2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc<http://MemMap.cc>(169) openForReading: failed to open slot for key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache]
2019/12/07 20:48:59.761 kid1| 83,5| Session.cc<http://Session.cc>(362) get_session_cb: Failed to retrieve SSL_SESSION from cache

Here is my squid.conf:

acl localnet src
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/usr/local/

sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB
coredump_dir /usr/local/squid/var/cache/squid
cache_dir ufs /usr/local/squid/var/cache/squid 1000 16 256 # 1GB as Cache


I’m wondering if this problem is a bug, my proxy config issue, or the client does not send the correct TLS parameters.
thanks for your help in advance.

- George

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191208/b3a92efc/attachment-0001.html>

More information about the squid-users mailing list