[squid-users] Cant open some HTTPS with Squid 4.8

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 3 13:33:58 UTC 2019


On 3/09/19 11:47 pm, KOTOXJle6 wrote:
> Im trying to setup Squid 4.8 on Ubuntu 18.04 LTS with HTTPS redirecting to
> squid error page for sites in ACL's. Yesterday i faced major problem HTTPS
> sites doesnt open normally in IE11/EDGE and show blank page only + squid
> replace certificate. If i tap F5, sometimes site opens like it should and
> certificate replacement doesnt happen...and it works not for all sites. I
> couldn't pinpoint the dependencies. I also can open some sites like
> rambler.ru, kanobu.ru, alexa.com normally. The most interesting thing is
> that other browsers like Chrome, FF and even Opera open all sites like it
> should and spoof cert + redirect to error page only if site persist in ACL.
> 

Huh? what is "only if site persist in ACL" meaning?


> What i already did:
> - Disabled IPv6 on Squid host
> - Disabled/Enabled TLS in IE in any variations
> - Disabled SPDY/3
> 
> Bump settings in squid.conf:
> 
> /http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
> ssl_bump peek all/
> 
> I have this errors in /var/log/squid/cache.log
> 
> /ERROR: negotiating TLS on FD 46: error:1425F175:SSL
> routines:ssl_choose_client_version:inappropriate fallback (1/-1/0)/
> 
> /ERROR: negotiating TLS on FD 104: error:14094410:SSL
> routines:ssl3_read_bytes:sslv3 alert handshake failure (1/-1/0)
> /
> 
> /ERROR: negotiating TLS on FD 27: error:1423406E:SSL
> routines:tls_parse_stoc_sct:bad extension (1/-1/0)/
> 

Any of the above errors may occur when connecting a specific client to a
specific server. SSL-Bump is riding the fine line of capability/feature
matching between three TLS/SSL librarys and the software using them -
two sets of which are remote machinery.
 All of the above errors (and more) will result in the symptoms you
describe happening. If you don't already know what they mean, use your
favourite search engine. They are quite common and well explained
already by others.

To make any real progress you (or someone) will need to view the TLS
Hello exchanges happening on *both* the client<->Squid and the
Squid<->server connections. I suggest combining a tcpdump capture
(_full_ packets) compared with Squid "debug_options 11,2" info about
what the FD are being used for.
 It may be obvious what is going on when you look at that info.


[ If that process is new to you, then I do highly recommend you take a
little time to become familiar. TLS is a changing environment and
SSL-Bump will be presenting you with more these types of error/problem
that need dealing with in future. ]


> Error in access.log
> 
> /TCP_DENIED/407 4141 CONNECT i.ibb.co:443 - HIER_NONE/- text/html/
> 

407 - HTTP authentication credentials are required for this CONNECT
transaction to happen.

IMPORTANT:  When you have configured proxy authentication and SSL-Bump
you need to be *very* careful to ensure the proxy requests (and gets)
the credentials on  the initial client CONNECT request - *and* that the
credentials remain valid for the entire time the HTTPS tunnel is going
to be open. If their need is only discovered later (or any
refresh/update to them) then all Squid can do is abort the HTTPS with an
error.

Amos


More information about the squid-users mailing list