[squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

Wed Jan 9 13:01:54 UTC 2019

Hello Dieter,

Just for the record, I have no problems accessing that site using SSL bumping AD integrated Squid 4.4 (coupled with web safety ICAP filter but that should not matter really). Squid conf is more or less default with usual peek-and-splice (bump all) directives.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Wednesday, 9 January 2019 13:25
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

On 9/01/19 5:52 am, Dieter Bloms wrote:
> Hello,
> 
> I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
> Sslbump works fine for all sides, but I can't access only one site 
> https://www.finanzamt.bayern.de/ and don't know the reason.
> Ssllabs gives "A".

That means they are using "Good Practice" with their use of TLS. The better they use TLS the less likely that SSL-Bump works.

...
> The access.log looks like:
> 
> --snip--
> 1546962078.461   4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 - HIER_DIRECT/193.34.207.31 -
> 1546962078.472      0 x.x.x.x NONE/500 8495 GET https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
> --snip--
> 
> no entries in cache.log
> 
> Can anybody try this site to see whether it is my local installation, or the webserver.
> 

Please check your cache.log and the 500-status error page message to find out what the problem is. TLS is such a complicated system that it is unlikely others will be able to see the reason your system is failing with the very few details you have provided.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users