<div dir="ltr">Hi,<div><br></div><div>I am also having similar environment with squid (version 3.5.2 -20150218-r13758) and openssl 1.0.1k, but for me only small number of https sites are working with peek and splice. For eg:- , I can access <a href="https://www.google.com">https://www.google.com</a> but not <a href="https://ssllabs.com">https://ssllabs.com</a> and lot of other https domains, giving "Error
negotiating SSL on FD 15: error:140920E3:SSL
routines:SSL3_GET_SERVER_HELLO:parse tlsext (1/-1/0) " in the cache.log file. </div><div><br></div><div>Also I could see a bunch of other error messages in the cache.log files relating to openssl (like "Error negotiating SSL on FD 21: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)" , "Error verifying certificates " etc) when tried to access sites like <a href="https://www.facebook.com">https://www.facebook.com</a>, <a href="https://www.yahoo.com">https://www.yahoo.com</a> etc</div><div><br></div><div>Squid is running on a CentOS 7 x64 box and Workstation is Win7 with Firefox and Chrome. I tried configuring openssl with disabling certain options with no-nextprotoneg and no-ec as well as with recent openssl version1.0.2 , but without any success.</div><div><br></div><div>Below is my squid config file.</div><div><br></div><div><div>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a><span class="" style="white-space:pre"> </span># RFC1918 possible internal network</div><div>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a><span class="" style="white-space:pre"> </span># RFC1918 possible internal network</div><div>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a><span class="" style="white-space:pre"> </span># RFC1918 possible internal network</div><div>acl localnet src fc00::/7 # RFC 4193 local private network range</div><div>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines</div><div><br></div><div>acl SSL_ports port 443</div><div>acl Safe_ports port 80<span class="" style="white-space:pre"> </span># http</div><div>acl Safe_ports port 21<span class="" style="white-space:pre"> </span># ftp</div><div>acl Safe_ports port 443<span class="" style="white-space:pre"> </span># https</div><div>acl Safe_ports port 70<span class="" style="white-space:pre"> </span># gopher</div><div>acl Safe_ports port 210<span class="" style="white-space:pre"> </span># wais</div><div>acl Safe_ports port 1025-65535<span class="" style="white-space:pre"> </span># unregistered ports</div><div>acl Safe_ports port 280<span class="" style="white-space:pre"> </span># http-mgmt</div><div>acl Safe_ports port 488<span class="" style="white-space:pre"> </span># gss-http</div><div>acl Safe_ports port 591<span class="" style="white-space:pre"> </span># filemaker</div><div>acl Safe_ports port 777<span class="" style="white-space:pre"> </span># multiling http</div><div>acl CONNECT method CONNECT</div><div><br></div><div>#</div><div># Recommended minimum Access Permission configuration:</div><div>#</div><div># Deny requests to certain unsafe ports</div><div>http_access deny !Safe_ports</div><div><br></div><div># Deny CONNECT to other than secure SSL ports</div><div>http_access deny CONNECT !SSL_ports</div><div><br></div><div># Only allow cachemgr access from localhost</div><div>http_access allow localhost manager</div><div>http_access deny manager</div><div>http_access allow localnet</div><div>http_access allow localhost</div><div><br></div><div># And finally deny all other access to this proxy</div><div>http_access deny all</div><div><br></div><div>ssl_bump peek all</div><div>ssl_bump splice all</div><div><br></div><div># Squid normally listens to port 3128</div><div>http_port <WAN Interface IP>:3128</div><div>http_port <WAN Interface IP>:3129 intercept</div><div>https_port <WAN Interface IP>:3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem</div></div><div><br></div><div>Does this has to do anything specific to my environment or the config options? Any help on this is highly appreciated.</div><div><br></div><div>Thanks in advance,</div><div>John</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 10, 2015 at 10:42 PM, Roel van Meer <span dir="ltr"><<a href="mailto:roel@1afa.com" target="_blank">roel@1afa.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Roel van Meer writes:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
>> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.<br>
>> > Traffic is redirected from port 443 top 3130 with iptables.<br>
>><br>
>> ... and with an older version of OpenSSL missing many of the last few<br>
>> years worth of TLS crypto features. IIRC the library releases are now up<br>
>> to 1.1.* or something. Its best to keep that kind of thing operating the<br>
>> latest versions.<br>
><br>
> I know it missing the latest features, but security patches are<br>
> backported. And I know it is old, but it's what I have to work with<br>
> now.Do you think it might be the cause of the problem I'm having with<br>
> peek/splice, or was it a general recommendation?<br>
<br>
Its a potential source of problems. Chrome is very much on the front<br>
line of the arms race attempting to stop things like SSL-Bump working.<br>
Firefox implement their own crypto library which tracks the latest TLS<br>
features at a similar speed of development.<br>
OpenSSL will be perpetually behind both of them, but at least the latest<br>
one(s) have better chances not to be advertising features they reject in<br>
"considered harmful" grounds.<br>
</blockquote>
<br>
I'll have a go then at trying with a newer openssl and the patches from thethread you mentioned.<br>
</blockquote>
<br>
With Squid 3.5.2 built with openssl 1.0.1k I can splice https connections with no trouble. Tested with Lync, Chrome, Firefox, and IE.<br>
<br>
So you were right. :) Thanks a lot for pointing me in the right direction!<br>
<br>
Cheers,<br>
<br>
Roel<br>
______________________________<u></u>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<u></u>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/<u></u>listinfo/squid-users</a><br>
</blockquote></div><br></div>