[squid-users] [EXTERNAL] Re: site opens only without ssl bump

Hannes Fasching hfasching at barracuda.com
Fri Nov 4 11:54:07 UTC 2022 

Hi guys!
I had a similar problem with bumping the SSL connections.
When I did a ssl_bump stare at the step SslBump1 and then a ssl_bump bump all the site did not load at all until I removed the ssl_bump stare. My futher invenstigations took me to the ConnStateData::httpsPeeked method were the connection gets pinned but later on squid ends the connection because the connection has to be not pinned.

I don't know if this problem is the same or related but when you try to only bump or splice the connection and nothing else and it works it might be this problem.

Best regards,
Hannes

Von: squid-users <squid-users-bounces at lists.squid-cache.org> im Auftrag von Majed Zouhairy <m_zouhairy at ckta.by>
Gesendet: Freitag, 4. November 2022 07:31
An: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Betreff: [EXTERNAL] Re: [squid-users] site opens only without ssl bump



On 11/3/22 21:25, Alex Rousskov wrote:
> On 11/3/22 10:17, Majed Zouhairy wrote:
>> here is the log:
>
>> 1667471160.808     77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443
>> - HIER_NONE/- -
>
>> i added the following line to squid:
>>
>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
>> %Sh/%<a %mt %err_code/%err_detail
>
> Please do not redefine built-in formats like "squid". As you can see,
> your adjustment had no effect -- the log records do not end with -/- (or
> better). Follow the xsquid sketch (that I shared earlier) instead.
>

with

logformat squidx %err_code/%err_detail
access_log xsquid

squid stopped logging completely

>> with either
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>> or
>>
>> ssl_bump peek tls_s1_connect
>> ssl_bump splice all
>>
>> it still does not work.
>
> Interesting. How about just:
>
>    ssl_bump splice all
>
> ... which should splice the TCP connections before any TLS work begins.
with

ssl_bump splice all

now the site works

>
> Alex.
>
>
>> On 11/3/22 16:05, Alex Rousskov wrote:
>>> On 11/3/22 05:43, Majed Zouhairy wrote:
>>>
>>>> i have 2 proxies, one with ssl bump and one without, there is a
>>>> internal site that opens only on the no ssl bump proxy.
>>>>
>>>> on the ssl bump proxy it displays:
>>>
>>>
>>> What does Squid say in access.log for this problematic request?
>>> Please configure Squid to log %err_code/%err_detail before answering
>>> this question. For example:
>>>
>>> logformat xsquid ...your regular %codes... %err_code/%err_detail
>>> access_log ... xsquid
>>>
>>>
>>>
>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>
>>> ssl_bump peek all
>>> ssl_bump splice all
>>>
>>>
>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>
>>> ssl_bump peek tls_s1_connect
>>> ssl_bump splice all
>>>
>>>
>>> Alex.
>>>
>>>
>>>
>>>
>>>> Не удается получить доступ к сайтуВеб-страница по адресу (i was
>>>> unable to gain access to website:)
>>>> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)
>>>> ERR_TUNNEL_CONNECTION_FAILED
>>>>
>>>> the site needs special configurations to run:
>>>> it needs a local proxy to run, avtunproxy.nl
>>>> in the internet explorer settings:
>>>> the second box in the proxy settings needs to be checked called the
>>>> "use the scenario for automatic configuration"
>>>> in it, the proxy address is plugged
>>>> http://127.0.0.1:10224/proxy.pac
>>>>
>>>> my bump settings are as follows:
>>>>
>>>>
>>>> acl     tls_s1_connect        at_step SslBump1
>>>> acl     tls_s2_client_hello     at_step SslBump2
>>>> acl     tls_s3_server_hello     at_step SslBump3
>>>>
>>>> # define acls for sites that must not be actively bumped
>>>>
>>>> acl     tls_allowed_hsts        ssl::server_name .akamaihd.net
>>>> acl     tls_allowed_hsts        ssl::server_name .proxy.ckko.nl
>>>> acl     tls_server_is_bank         ssl::server_name
>>>> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
>>>> acl     tls_to_splice     any-of     tls_allowed_hsts
>>>> tls_server_is_bank
>>>>
>>>> # TLS/SSL bumping steps
>>>>
>>>> ssl_bump         peek                tls_s1_connect         # peek
>>>> at TLS/SSL connect data
>>>> ssl_bump         splice                 tls_to_splice        #
>>>> splice some: no active bump
>>>> ssl_bump         stare                 all                    #
>>>> stare(peek) at server
>>>>                                                          #
>>>> properties of the webserver
>>>> ssl_bump         bump
>>>>
>>>> contents of the
>>>> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>>>>
>>>> .ckko.nl
>>>> .ias.ckko.nl
>>>> .test-auth.ias.ckko.nl
>>>> .config.avtunproxy.nl
>>>> .rand.avtunproxy.nl
>>>> .avast.nl
>>>> .dev.avast.nl
>>>> .ncis.nl
>>>> .cdn.nlpost.nl
>>>>
>>>> those are all the sites that are logged in on the non ssl bump proxy
>>>> when ias.ckko.nl is accessed
>>>>
>>>> despite all this configuration, the site does not open. in ufdbguard
>>>> every site from the user is a pass.
>>>>
>>>> in avtunproxy log :
>>>>
>>>> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching
>>>> https://ckko.nl/upload/certificates/8.crl
>>>> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e]
>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e]
>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf]
>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>> read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing
>>>> connection was forcibly closed by the remote host.
>>>> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf]
>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
>>>> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021]
>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021]
>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59]
>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59]
>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
>>>> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a]
>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a]
>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
>>>> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178]
>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>> read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing
>>>> connection was forcibly closed by the remote host.
>>>> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178]
>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c]
>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c]
>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559]
>>>> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
>>>> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e]
>>>> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
>>>> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903]
>>>> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
>>>> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f]
>>>> [addr=127.0.0.1:10544] GET /api/v2/log
>>>>
>>>>
>>>> what is the solution?
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Get the 13 Email Threat Types eBook

https://www.barracuda.com/

This e-mail and any attachments to it contain confidential and proprietary material of Barracuda, its affiliates or agents, and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.

________________________________

More information about the squid-users mailing list