[squid-users] squid 5.0.4 cache_peer bug on https outgoing

Mon Sep 28 05:41:16 UTC 2020

Yes, I've tried all of these combinations.

### 0x00 cache_peer no ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 【no ssl】

curl http://google.com <https://google.com/> -x http://admin:squid@localhost
:3128 -v  -k   【it is ok】

curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get
502】
curl https://google.com -x http://admin:squid@localhost:3128 -v  -k
 【Get 502】

< HTTP/1.1 502 Bad Gateway
< X-Cache: MISS from example.com
< Transfer-Encoding: chunked
< Connection: keep-alive

log json:

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp":
"2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443",
"httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-",
"agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status":
"HIER_NONE" }

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp":
"2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/",
"httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer": "-",
"agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status":
"HIER_NONE" }

### 0x01 cache_peer with ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0  ssk

curl http://google.com <https://google.com/> -x http://admin:squid@localhost
:3128 -v  -k   【Get 502】
curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get
502】

< HTTP/1.1 503 Service Unavailable

< Server: squid/5.0.4

< Mime-Version: 1.0

< Date: Mon, 28 Sep 2020 04:21:00 GMT

< Content-Type: text/html;charset=utf-8

< Content-Length: 1649

< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

<p>The system returned:</p>

<blockquote id="data">

<pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>

<p>Handshake with SSL server failed: [No Error]</p>

</blockquote>

### 0x02 how to outgoing https request by cache_peer (on squid 5.0.4/Chains
proxy)

Similar features to Charles OR Fiddler. ( open http(s) proxy  on 8080, then
capture the request , outgoing on another http(s)/socks4/5 proxy.)

1. Fiddler gateway:
https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway

curl https://google.com -x http://squid:3128 --> outgoing(cache_peer: like
Fiddler gateway) --> google.com:443

The cache_peer should be ignore ssl VERIFY. !!! like other software.

On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.

Alex Rousskov <rousskov at measurement-factory.com> 于2020年9月28日周一 上午6:48写道：

> On 9/27/20 12:07 PM, sec wrote:
>
> > http_port 3128 ssl-bump ...
>
> > curl http://google.com -x https://admin:squid@localhost:3128 -v  -k
>
> The above two lines do not match AFAICT: You tell curl to use an HTTPS
> proxy, but you tell Squid to expect plain HTTP proxy requests.
>
> Also, please note that if you fix the above problem by moving "https"
> from "-x" to the origin server URL, then you will probably face another
> problem:
>
> curl https://google.com -x http://admin:squid@localhost:3128 -v  -k
>
> > ssl_bump allow all
>
> > cache_peer 127.0.0.1 parent 3129 0 ssl
>
> Squid does not (yet) support "TLS inside TLS": Talking TLS with the
> origin server through a cache_peer that also expects a TLS connection.
>
>
> HTH,
>
> Alex.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200928/49666ca7/attachment.htm>