[squid-users] Cant open some HTTPS with Squid 4.8

Tue Sep 3 16:50:01 UTC 2019

Amos Jeffries wrote
> Huh? what is "only if site persist in ACL" meaning?

Ill try to explain by example. I have 2 ACL - blockvideo and blockvpn, they
contain urls for video hostings and vpn services. This ACLs appyed to domain
groups blockvideo and blockvpn. I have 2 users - adm1 and user1. User1 is a
member of both groups and adm1 is not. 
When user1 trying to open any sites from acls (even https), he should be
redirected to squid error page wich tells him that access restricted and he
should contact local administrator.

Amos Jeffries wrote
> Any of the above errors may occur when connecting a specific client to a
> specific server. SSL-Bump is riding the fine line of capability/feature
> matching between three TLS/SSL librarys and the software using them -
> two sets of which are remote machinery.
>  All of the above errors (and more) will result in the symptoms you
> describe happening. If you don't already know what they mean, use your
> favourite search engine. They are quite common and well explained
> already by others.

At this point I realized that the problem is not in the browser settings.

Amos Jeffries wrote
> To make any real progress you (or someone) will need to view the TLS
> Hello exchanges happening on *both* the client<->Squid and the
> Squid<->server connections. I suggest combining a tcpdump capture
> (_full_ packets) compared with Squid "debug_options 11,2" info about
> what the FD are being used for.
>  It may be obvious what is going on when you look at that info.
> 
> 
> [ If that process is new to you, then I do highly recommend you take a
> little time to become familiar. TLS is a changing environment and
> SSL-Bump will be presenting you with more these types of error/problem
> that need dealing with in future. ]

Thank you. Missed that section somehow. Ill try to do this.

Amos Jeffries wrote
> 407 - HTTP authentication credentials are required for this CONNECT
> transaction to happen.
> 
> IMPORTANT:  When you have configured proxy authentication and SSL-Bump
> you need to be *very* careful to ensure the proxy requests (and gets)
> the credentials on  the initial client CONNECT request - *and* that the
> credentials remain valid for the entire time the HTTPS tunnel is going
> to be open. If their need is only discovered later (or any
> refresh/update to them) then all Squid can do is abort the HTTPS with an
> error.

It looks like problem starts at first step of ssl_bump peek. If i understand
it right, problems apper when squid trying to get inside https session to
decide should it bump (if site in acl and user in group) or splice this
connection.  

Alex Rousskov wrote
> According to the discussion linked below, these errors may be "normal":
> https://security.stackexchange.com/questions/160922/ssl-error-inappropriate-fallback-and-tls-fallback-scsv
> 
> To confirm that they are normal, you would need to isolate traffic from
> the affected client and see whether its previous connection or tunneling
> attempt has failed for some reason.
> 
> A similar problem was discussed at
> http://lists.squid-cache.org/pipermail/squid-users/2019-April/020506.html
> 
> If your OpenSSL installation is reasonably fresh, then you will need to
> isolate the failure to where you can connect TCP packet samples and/or
> Squid debugging logs.

Thanks for links. Squid -v shows that this binary uses OpenSSL 1.1.1  11 Sep
2018.

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html