[squid-users] Squid 4.12 Arch Linux Google Chrome fails - OpenSSL 1.1.1g (was Re: SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo)

Amish anon.amish at gmail.com
Mon Jun 29 15:18:12 UTC 2020


On 16/06/20 1:13 pm, Loučanský Lukáš wrote:
> But the client on the intercepted connection (via changed routing table under mikrotik and then prerouted to correct squid ports for http and ssl traffic) running Chrome 83 http://download.kjj.cz/pub/ssl/idnes.cz_chrome.83.0.4103.97.pcapng sends ClientHello - and no ServerHello is received. I've tcpdumped outgoing interface on the squid box - and there was no actual connection to the desired server.
> In the access.log there is something like 1592212170.495      2 10.0.0.40 NONE_ABORTED/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
>   
> But - same client, same network, same network running Firefox 77 http://download.kjj.cz/pub/ssl/idnes.cz_firefox.77.0.1.pcapng  gets ServerHello after it's ClientHello - they exchange information, exchange ciphers etc. and the web page is loaded. I've checked https certificate details - it's been issued by my CA.
>
>
> access.log:
>   
> 1592212156.764      8 10.0.0.40 TCP_MISS/301 196 GET http://idnes.cz/ - ORIGINAL_DST/185.17.117.32 -
> 1592212156.774      2 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
> 1592212156.825     38 10.0.0.40 TCP_MISS/302 777 GET https://idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
> 1592212156.840      7 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
> 1592212156.893     28 10.0.0.40 TCP_CLIENT_REFRESH_MISS/200 40086 GET https://www.idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
>
>
> So in Firefox - it seems to be working

I am using Arch Linux and today I upgraded squid to 4.12 (from 4.10)

I am observing very similar issue.

Clients make HTTPS request via CONNECT to port 8080.

I have configured SSL bump but it is "effectively" deactivated via 
following ACL

http_port 8080 ssl-bump generate-host-certificates=on 
tls-cert=/etc/squid/ssl_cert/squid.pem 
tls-dh=prime256v1:/etc/squid/ssl_cert/dhparam.pem

tls_outgoing_options cafile=/etc/ssl/cert.pem

tls_outgoing_options 
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

ssl_bump splice ssl_step1 nosslbump_ips # (acl type src)
ssl_bump peek ssl_step1
ssl_bump splice nosslbump_domains # (acl type ssl::server_name_regex)
(more ssl_bump lines not shown)

nosslbump_domains contains ".*" - so effectively nothing is bumped.

Firefox and IE work fine. But in Google chrome - sites dont open.

Access log shows NONE_ABORTED (for google chrome).

And packet sniffer shows FIN, ACK sent by squid. (I have not gone in 
details as I dont understand packet details)

Am I doing anything wrong? If not, then is there any temporary 
workaround without downgrading squid?

Please guide,

Thank you

Amish.



More information about the squid-users mailing list