<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
First. Where is you cache can found openssl public CA certs? To
validate connection from cache to server Squid must see root
authority CA's.<br>
<br>
I.e (from my configuration. Note: all google services bumped and
works perfectly):<br>
<br>
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key capath=/etc/opt/csw/ssl/certs<br>
<br>
Second. OpenSSL CA's bundle is not complete. You must add ALL
intermediate and absent root CA's and make c_rehash.<br>
<br>
Third.<br>
Where is<br>
<br>
sslproxy_cert_error allow all<br>
<br>
and<br>
<br>
sslproxy_flags DONT_VERIFY_PEER<br>
<br>
in your configuration? Yes, this is dangerous, but permit to
suppress errors on some sites.<br>
<br>
And finally - you can't bypass ssl bump on 3.4.x using dstdomain
ACL's. Only IP-based DST acl's usable.<br>
<br>
Regards,<br>
Yuri.<br>
<br>
06.02.2015 11:10, Luis Miguel Silva пишет:<br>
<span style="white-space: pre;">> Dear all,<br>
><br>
> I recently compiled squid-3.4.9 with ssl-bump support and,
although it is working for the most part, I'm having some issues
accessing some websites.<br>
><br>
> The behavior is REALLY weird so I'm going to try and describe
it the best I can:<br>
> - If i access <a class="moz-txt-link-freetext" href="https://www.google.com/">https://www.google.com/</a> in Chrome, I could see
that it was processing my certificate MOST of the times...<br>
> *screenshot here*: <a class="moz-txt-link-freetext" href="http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg">http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg</a><br>
> - some other times, it seemed to bypass my proxy altogether
and I finally figured out it was because Chrome will try to access
QUIC enabled websites using that protocol, so it would bypass my
firewall redirect rules! I believe I now have solved this by
blocking FORWARDING traffic on port 443 udp...<br>
> - the weird thing is that, if I then try and access
<a class="moz-txt-link-freetext" href="https://gmail.com">https://gmail.com</a> <a class="moz-txt-link-rfc2396E" href="https://gmail.com/"><https://gmail.com/></a>, I get a certificate
error:<br>
> *screenshot here*: <a class="moz-txt-link-freetext" href="http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1">http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1</a><br>
> - ...though, sometimes, I can access <a class="moz-txt-link-freetext" href="https://mail.gmail.com/">https://mail.gmail.com/</a>
just fine (without any certificate errors), but stop being able to
as soon as I try to access <a class="moz-txt-link-freetext" href="https://gmail.com/">https://gmail.com/</a> and the browser
complains about the certificate.<br>
> -- and, according to my tests, I can access it from firefox
just fine MOST of the times:<br>
> *screenshot here*: <a class="moz-txt-link-freetext" href="http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2">http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2</a><br>
> -- though I have also seen situations where Firefox also
complains about a certificate error when connecting to gmail.com
<a class="moz-txt-link-rfc2396E" href="http://gmail.com/"><http://gmail.com/></a><br>
> - and, although I cannot reproduce it 100% of the times,
sometimes, even though I have my iptables redirect rules ON, the
browser still seems to "connect direct" (or, at least, it shows it
has the original certificate)!<br>
> -- like I said, at first, I was able to trace this back to
QUIC in Chrome but...I'm currently blocking traffic on port 443
udp so I don't know what's happening here (does it use different
ports?!)<br>
> <br>
> So, here are *my questions*:<br>
> - why am I able to successfully ssl-bump
<a class="moz-txt-link-freetext" href="https://www.google.com">https://www.google.com</a> <a class="moz-txt-link-rfc2396E" href="https://www.google.com/"><https://www.google.com/></a> but not
<a class="moz-txt-link-freetext" href="https://gmail.com/">https://gmail.com/</a><br>
> - why does the Chrome freakout about gmail but not Firefox?<br>
> - Is there a way to fix it OR, at least, to bypass it? (I
tried creating an ACL for this and allowing direct traffic but it
didn't seem to work...)<br>
> -- can we make the connection go direct when ssl certificate
errors are detected?<br>
> - and has anyone else seen this problem where the browser
seems to use the original certificate, even though I'm redirecting
traffic to Squid?<br>
><br>
> Not sure if this is relevant, but here are some ssl errors I
caught on my cache.log file:<br>
> root@server:/var/log/squid3# tail cache.log<br>
> 2015/02/05 21:47:52 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 30: Closed by client<br>
> 2015/02/05 21:48:23 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 30: Closed by client<br>
> 2015/02/05 21:48:36 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 96: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)<br>
> 2015/02/05 21:48:54 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 105: Closed by client<br>
> 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 79: Broken pipe (32)<br>
> 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 54: Broken pipe (32)<br>
> 2015/02/05 21:49:24 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 79: Closed by client<br>
> 2015/02/05 21:49:55 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 26: Closed by client<br>
> 2015/02/05 21:50:26 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 45: Closed by client<br>
> 2015/02/05 21:50:56 kid1| clientNegotiateSSL: Error
negotiating SSL connection on FD 68: Closed by client<br>
> root@server:/var/log/squid3#<br>
><br>
> By the way, here's how I generated my certificate:<br>
> openssl req -new -newkey rsa:1024 -days 365 -nodes -x509
-keyout myCA.pem -out myCA.pem<br>
> openssl x509 -in myCA.pem -outform DER -out certificate.der<br>
> (note: myCA.pem is the certificate that squid is using and
certificate.der is the one I've been installing on the client
computers)<br>
><br>
> And here's what my current squid.conf looks like:<br>
> root@server:/etc/squid3/ssl_cert# cat /etc/squid3/squid.conf<br>
> #Access Lists<br>
> acl home_network src 192.168.200.0/24
<a class="moz-txt-link-rfc2396E" href="http://192.168.200.0/24"><http://192.168.200.0/24></a><br>
><br>
> #Ports allowed through Squid<br>
> acl Safe_ports port 80 #http<br>
> acl Safe_ports port 443 #https<br>
> acl SSL_ports port 443<br>
> acl SSL method CONNECT<br>
> acl CONNECT method CONNECT<br>
><br>
> #allow/deny<br>
> http_access allow home_network<br>
> http_access deny !Safe_ports<br>
> http_access deny CONNECT !SSL_ports<br>
> http_access deny all<br>
><br>
> http_port 3128<br>
> http_port 3129 intercept<br>
> https_port 3130 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/myCA.pem<br>
> acl broken_sites dstdomain .gmail.com
<a class="moz-txt-link-rfc2396E" href="http://gmail.com/"><http://gmail.com/></a><br>
> ssl_bump none localhost<br>
> ssl_bump none broken_sites<br>
> ssl_bump server-first all<br>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/usr/share/squid3/var/lib/ssl_db -M 4MB<br>
> sslcrtd_children 5<br>
><br>
> #caching directory<br>
> cache_dir ufs /var/spool/squid3 1024 16 128<br>
> cache_mem 1024 MB<br>
><br>
> #refresh patterns for caching static files<br>
> refresh_pattern ^ftp: 1440 20% 10080<br>
> refresh_pattern ^gopher: 1440 0% 1440<br>
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private<br>
> refresh_pattern -i
\.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000
override-expire ignore-no-cache ignore-no-store ignore-private<br>
> refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90%
43200 override-expire ignore-no-cache ignore-no-store
ignore-private<br>
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080<br>
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320<br>
> refresh_pattern . 0 40% 40320<br>
><br>
> dns_nameservers 8.8.8.8<br>
><br>
> #rewrite program<br>
> redirect_program /etc/squid3/filter.php<br>
> root@server:/etc/squid3/ssl_cert#<br>
><br>
> Thanks in advance,<br>
> Luis<br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJU1HWtAAoJENNXIZxhPexGiRcH/A2QfRyPsmM9LhKR6ZuqTfhR
<br>
AWyg8omvGOeKwo5W0Czb/Qqo4XhtIe+jcXxFqmrvL+zxmrl66tRXp0mBDmp1FMPW
<br>
kC93hIYn72NZiThPmchqOZ/4IuUNOyJT1ll/Uef7Kr/saIF0zXMh2lkoNR5HCvhN
<br>
0nb3dW0QSSivASYB3/0Mm0szCQqLSx/zgIbdCvmlX9H3VwWM/uE88Nfp+CAHygIO
<br>
t5vioJbCTPjyFqV2QkX//fuU1ePZC1VrTw5//nMjXfCbpXjLZtgz15ubDcCH3vZ1
<br>
beMYpGYbvHUk+hxrwjW394Q+pSAso79x5hwUO3PlZAsKUx/RdhzI91VVRRO9mfE=
<br>
=N+mL
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>