[squid-users] SSL handshake

Nishant Sharma codemarauder at gmail.com
Tue Jul 27 19:21:52 UTC 2021 

On 27/07/21 9:15 pm, Vieri wrote:
> 
> I have not changed anything in the OS so it might be because of change in the remote web service.
> It might be that my openssl version is already too old (1.1.1g), and that the web site forces the use of an unsupported cypher?

I have also observed it on 2 instances of the squid-4.6.2, starting
25/26th July. The configuration was working fine for more than 9 months now.

OpenSSL versions are 1.0.2q and 1.1.1h.

OS is OpenWrt based custom firmware (hopbox) on x86_64.

If the proxy is explicitly set on the client, SSL-Bump with peek &
splice works fine. If the traffic is intercepted, the HTTPS connection
takes a long to time to establish and times out in the browser. HTTP is
fine with interception.

There is no error in the logs.

I suspected browser updates might have caused this, but it didn't work
on Chrome and Firefox both.

Interception with peek & splice is working fine on squid-4.13 with
OpenSSL 1.1.1i.

Configuration snippet for squid-4.6.2 with openssl 1.0.2q:

=========
http_port 3128
http_port 3127 intercept
https_port 3129 intercept tcpkeepalive=60,30,3 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
cert=/etc/squid/ssl_cert/MySSLCA.pem tls-dh=prime256v1:/etc/squid/ssl_
cert/dhparam.pem options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_children 10
sslcrtd_program /usr/lib/squid/security_file_certgen -s /tmp/squid/ssldb
-M 16MB

acl NoSSLIntercept ssl::server_name "/etc/squid/acls/nobump.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice !NoSSLIntercept
ssl_bump splice all
===========


Configuration snippets for squid-4.6.2 with openssl 1.1.1h:

===========
http_port 3128
http_port 3127 intercept
https_port 3129 intercept tcpkeepalive=60,30,3 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
cert=/etc/squid/ssl_cert/citykartSSLCA.pem
sslcrtd_children 15
sslcrtd_program /usr/lib/squid/security_file_certgen -s /tmp/squid/ssldb
-M 10MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all

host_verify_strict off
client_dst_passthru on
===========

Configuration snippet for squid-4.13 with OpenSSL 1.1.1i:

==============
http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB tls-cert=/etc/squid/ssl_cert/MySSLCA.pem
tls-key=/etc/squid/ssl_cert/MySSLCA.pem
tls-dh=prime256v1:/etc/squid/ssl_cert/bump_dhparam.pem'
sslcrtd_children 10

acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

acl DiscoverSNIHost at_step SslBump1
#acl NoSSLIntercept ssl::server_name_regex "/etc/squid/acls/nobump.txt"
ssl_bump peek DiscoverSNIHost
#ssl_bump bump !NoSSLIntercept
ssl_bump splice all

=====================


iptables rules at all the routers:

# iptables-save | grep HTTP

-A zone_lan_prerouting -p tcp -m tcp --dport 80 -m set ! --match-set
direct dst -m comment --comment "!fw3: HTTP Intercept" -j DNAT
--to-destination 10.0.0.1:3127
-A zone_lan_prerouting -p tcp -m tcp --dport 443 -m set ! --match-set
direct dst -m comment --comment "!fw3: HTTPS Intercept" -j DNAT
--to-destination 10.0.0.1:3129

# iptables -nvL -t nat | grep HTTP

DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    tcp dpt:80 ! match-set direct dst /* !fw3: HTTP Intercept */
to:10.0.0.1:3127
DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    tcp dpt:443 ! match-set direct dst /* !fw3: HTTPS Intercept */
to:10.0.0.1:3129

I still suspect something has changed either on the browsers / windows
OS or the servers, which has increased the negotiation time and requests
time out.

Any further guidance to debug the issue would be greatly helpful.

Regards,
Nishant

More information about the squid-users mailing list