
<div dir="ltr"><div><div><div><div style="margin-left:40px"><span class="im">> acl s1_tls_connect at_step SslBump1</span><br><span class="im">

> acl s2_tls_client_hello at_step SslBump2</span><br><span class="im">

> acl s3_tls_server_hello at_step SslBump3</span><br><span class="im">

></span><br><span class="im">

> acl tls_server_name_is_ip ssl::server_name_regex \</span><br><span class="im">

> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n</span><br><span class="im">

</span><br><span class="im">

</span>You have a letter 'n' on the end there is that intentional?<br><br></div>It would seem so. I copied that from someone else's "peek-splice" directives that they said worked well for them. The actual regex in the perl script that writes squid.conf is <i>"print FILE "acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$\n\n";</i>."<br><br><div style="margin-left:40px"><span class="im">> acl google ssl::server_name .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>

> ssl_bump peek s1_tls_connect all<br>

><br>

> acl nobumpSites ssl::server_name .<a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a><br>

><br>

> ssl_bump splice s2_tls_client_hello nobumpSites<br>

> ssl_bump splice s2_tls_client_hello google<br>

><br>

> ssl_bump stare s2_tls_client_hello all<br>

><br>

> ssl_bump bump s3_tls_server_hello all<br>

><br>

> cache_peer <a href="http://forcesafesearch.google.com" rel="noreferrer" target="_blank">forcesafesearch.google.com</a> parent 443 0 \<br>

> ssl name=GS originserver \<br>

> no-query no-netdb-exchange no-digest<br>

><br>

> acl search dstdomain .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>

> cache_peer_access GS allow search<br>

> cache_peer_access GS deny all<br>

<br>

</span>I think the fake-CONNECT Squid creates still has only raw-IP:port<br>

details. And with splicing you dont have the decrypt to setup dstdomain<br>

URL details.<br>

<br>

For dstdomain you need to match what shows up in access.log as the URI<br>

of these requests.<br><br></div><div style="margin-left:40px">Does the "google" ACL work in cache_peer_access to use the SNI?<br><br></div></div>The "dstdomain .<a href="http://google.com">google.com</a>" was taken directly from an example that was provided. When I try to access <i><a href="http://google.com">google.com</a></i> the error message says a "secure connection could not be established to <i><a href="http://google.com">http://google.com</a>". </i>It seems the "redirect to https" isn't working using the acl <span class="im"><i>"acl google ssl::server_name .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a></i>" in "cache_peer_access". </span>If I enter instead <i><a href="https://google.com">https://google.com</a> </i>then I don't get that error but inappropriate Google images are still not blocked. When I look at the access.log, all I see are IP addresses for the domains for CONECTs like this<br><br><i>1441396051.210     62 10.3.3.100 TCP_MISS/503 3639 GET <a href="http://www.google.com/">http://www.google.com/</a> - FIRSTUP_PARENT/<a href="http://216.239.38.120">216.239.38.120</a> text/html<br>1441396051.330     61 10.3.3.100 TCP_MISS/503 3640 GET <a href="http://www.google.com/favicon.ico">http://www.google.com/favicon.ico</a> - FIRSTUP_PARENT/<a href="http://216.239.38.120">216.239.38.120</a> text/html<br>1441396051.390     58 10.3.3.100 TCP_MISS/503 3672 GET <a href="http://www.google.com/favicon.ico">http://www.google.com/favicon.ico</a> - FIRSTUP_PARENT/<a href="http://216.239.38.120">216.239.38.120</a> text/html<br>1441396097.795     81 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.191:443">74.125.227.191:443</a> - ORIGINAL_DST/<a href="http://74.125.227.191">74.125.227.191</a> -<br>1441396097.830     87 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.172:443">74.125.227.172:443</a> - ORIGINAL_DST/<a href="http://74.125.227.172">74.125.227.172</a> -<br>1441396098.115     93 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.175:443">74.125.227.175:443</a> - ORIGINAL_DST/<a href="http://74.125.227.175">74.125.227.175</a> -<br>1441396098.877     79 10.3.3.100 TCP_MISS/200 840 POST <a href="http://clients1.google.com/ocsp">http://clients1.google.com/ocsp</a> - ORIGINAL_DST/<a href="http://74.125.227.168">74.125.227.168</a> application/ocsp-response<br>1441396098.878    622 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.160:443">74.125.227.160:443</a> - HIER_NONE/- -<br>1441396098.878    621 10.3.3.100 TCP_TUNNEL/200 5123 CONNECT <a href="http://74.125.227.160:443">74.125.227.160:443</a> - ORIGINAL_DST/<a href="http://74.125.227.160">74.125.227.160</a> -<br>1441396099.078     92 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.217:443">74.125.227.217:443</a> - ORIGINAL_DST/<a href="http://74.125.227.217">74.125.227.217</a> -<br>1441396099.189    106 10.3.3.100 TCP_MISS/200 809 GET <a href="https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt">https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt</a> - ORIGINAL_DST/<a href="http://74.125.227.217">74.125.227.217</a> image/gif<br>1441396112.635     99 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.175:443">74.125.227.175:443</a> - ORIGINAL_DST/<a href="http://74.125.227.175">74.125.227.175</a> -<br>1441396114.575     85 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.191:443">74.125.227.191:443</a> - ORIGINAL_DST/<a href="http://74.125.227.191">74.125.227.191</a> -<br>1441396123.684     92 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.191:443">74.125.227.191:443</a> - ORIGINAL_DST/<a href="http://74.125.227.191">74.125.227.191</a> -<br>1441396124.205     87 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.175:443">74.125.227.175:443</a> - ORIGINAL_DST/<a href="http://74.125.227.175">74.125.227.175</a> -<br>1441396127.192     84 10.3.3.100 TAG_NONE/200 0 CONNECT <a href="http://74.125.227.205:443">74.125.227.205:443</a> - ORIGINAL_DST/<a href="http://74.125.227.205">74.125.227.205</a> -<br><br></i></div>I don't know how to tell if the SNI is being used in cache_peer_access other than as I mentioned above only IP addresses appear in access.log for the .<a href="http://google.com">google.com</a> domain.<br><br><div style="margin-left:40px">The flag DONT_VERIFY_PEER tells Squid not to even bother checking any<br>

security on the outgoing server connection when going DIRECT (not to the<br>

cache_peer). Making the sslproxy_cert_error rules useless.<br><br></div>You've mentioned this before. The problem is with my squid.conf if it doesn't have DONT_VERIFY_PEER ssl-bump does not work at all. Is there a better way to setup ssl-bump than what I have that doesn't use DONT_VERIFY_PEER?<br><br></div>Here is my complete squid.conf. Hope it is helpful.<br><br><div style="margin-left:40px"><i>visible_hostname smoothwallu3<br><br># Uncomment the following to send debug info to /var/log/squid/cache.log<br>#debug_options ALL,1 33,2 28,9<br><br># ACCESS CONTROLS<br># ----------------------------------------------------------------<br>acl localhostgreen src 10.3.3.1<br>acl localnetgreen src <a href="http://10.3.3.0/24">10.3.3.0/24</a><br><br>acl SSL_ports port 445 443 441 563<br>acl Safe_ports port 80            # http<br>acl Safe_ports port 81            # smoothwall http<br>acl Safe_ports port 21            # ftp <br>acl Safe_ports port 445 443 441 563    # https, snews<br>acl Safe_ports port 70             # gopher<br>acl Safe_ports port 210               # wais  <br>acl Safe_ports port 1025-65535        # unregistered ports<br>acl Safe_ports port 280               # http-mgmt<br>acl Safe_ports port 488               # gss-http <br>acl Safe_ports port 591               # filemaker<br>acl Safe_ports port 777               # multiling http<br><br>acl CONNECT method CONNECT<br><br># TAG: http_access<br># ----------------------------------------------------------------<br><br><br><br>http_access allow localhost<br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br><br>http_access allow localnetgreen<br>http_access allow CONNECT localnetgreen<br><br>http_access allow localhostgreen<br>http_access allow CONNECT localhostgreen<br><br># http_port and https_port<br>#----------------------------------------------------------------------------<br><br># For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.<br>#----------------------------------------------------------------------------<br>http_port 3127<br><br>http_port <a href="http://10.3.3.1:800">10.3.3.1:800</a> intercept<br>https_port <a href="http://10.3.3.1:808">10.3.3.1:808</a> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem<br><br><br>http_port <a href="http://127.0.0.1:800">127.0.0.1:800</a> intercept<br><br>sslproxy_session_cache_size 4 MB<br><br>ssl_bump none localhostgreen<br><br>acl s1_tls_connect      at_step SslBump1<br>acl s2_tls_client_hello at_step SslBump2<br>acl s3_tls_server_hello at_step SslBump3<br><br>acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n<br>acl google ssl::server_name .<a href="http://google.com">google.com</a><br>ssl_bump peek  s1_tls_connect      all<br>ssl_bump splice s2_tls_client_hello google<br>ssl_bump stare  s2_tls_client_hello all<br>ssl_bump bump  s3_tls_server_hello all<br><br>cache_peer <a href="http://forcesafesearch.google.com">forcesafesearch.google.com</a> parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest<br>acl search dstdomain .<a href="http://google.com/imghp">google.com/imghp</a><br>cache_peer_access GS allow search<br>cache_peer_access GS deny all<br><br>sslproxy_cert_error allow tls_server_name_is_ip<br>sslproxy_cert_error deny all<br>sslproxy_flags DONT_VERIFY_PEER<br>sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB<br>sslcrtd_children 5<br><br>http_access deny all<br><br>cache_replacement_policy heap GDSF<br>memory_replacement_policy heap GDSF<br><br># CACHE OPTIONS<br># ----------------------------------------------------------------------------<br>cache_effective_user squid<br>cache_effective_group squid<br><br>cache_swap_high 100<br>cache_swap_low 80<br><br>cache_access_log stdio:/var/log/squid/access.log<br>cache_log /var/log/squid/cache.log<br>cache_mem 64 MB<br><br>cache_dir diskd /var/spool/squid/cache 1024 16 256<br><br>maximum_object_size 33 MB<br><br>minimum_object_size 0 KB<br><br><br>request_body_max_size 0 KB<br><br># OTHER OPTIONS<br># ----------------------------------------------------------------------------<br>#via off<br>forwarded_for off<br><br>pid_filename /var/run/squid.pid<br><br>shutdown_lifetime 10 seconds<br>#icp_port 3130<br><br>half_closed_clients off<br><br>umask 022<br><br>logfile_rotate 0<br><br>strip_query_terms off<br><br></i><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 4, 2015 at 2:09 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 5/09/2015 5:48 a.m., Stanford Prescott wrote:<br>

> I have tried to enable safe searching with Squid 3.5.7 using ssl-bump<br>

> splice but when I enable it, browsing to <a href="https://google.com" rel="noreferrer" target="_blank">https://google.com</a> generates a<br>

> Squid error page saying there is no valid certificate. Browsing to all<br>

> other https sites loads the pages correctly and all other SSL-bump sites<br>

> get bumped and displayed correctly.<br>

><br>

> Has anyone had any luck getting this to work? Here is the relevant<br>

> squid.conf entries<br>

><br>

<br>

</span>Please use 3.5.8. The ssl_bump behaviour got some more important fixes<br>

recently.<br>

<span class=""><br>

<br>

><br>

> acl s1_tls_connect at_step SslBump1<br>

> acl s2_tls_client_hello at_step SslBump2<br>

> acl s3_tls_server_hello at_step SslBump3<br>

><br>

> acl tls_server_name_is_ip ssl::server_name_regex \<br>

> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n<br>

<br>

</span>You have a letter 'n' on the end there is that intentional?<br>

<span class=""><br>

><br>

> acl google ssl::server_name .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>

> ssl_bump peek s1_tls_connect all<br>

><br>

> acl nobumpSites ssl::server_name .<a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a><br>

><br>

> ssl_bump splice s2_tls_client_hello nobumpSites<br>

> ssl_bump splice s2_tls_client_hello google<br>

><br>

> ssl_bump stare s2_tls_client_hello all<br>

><br>

> ssl_bump bump s3_tls_server_hello all<br>

><br>

> cache_peer <a href="http://forcesafesearch.google.com" rel="noreferrer" target="_blank">forcesafesearch.google.com</a> parent 443 0 \<br>

> ssl name=GS originserver \<br>

> no-query no-netdb-exchange no-digest<br>

><br>

> acl search dstdomain .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>

> cache_peer_access GS allow search<br>

> cache_peer_access GS deny all<br>

<br>

</span>I think the fake-CONNECT Squid creates still has only raw-IP:port<br>

details. And with splicing you dont have the decrypt to setup dstdomain<br>

URL details.<br>

<br>

For dstdomain you need to match what shows up in access.log as the URI<br>

of these requests.<br>

<br>

Does the "google" ACL work in cache_peer_access to use the SNI?<br>

<span class=""><br>

<br>

><br>

> sslproxy_cert_error allow tls_server_name_is_ip<br>

><br>

> sslproxy_cert_error deny all<br>

> sslproxy_flags DONT_VERIFY_PEER<br>

><br>

<br>

</span>The flag DONT_VERIFY_PEER tells Squid not to even bother checking any<br>

security on the outgoing server connection when going DIRECT (not to the<br>

cache_peer). Making the sslproxy_cert_error rules useless.<br>

<br>

<br>

Amos<br>

<br>

_______________________________________________<br>

squid-users mailing list<br>

<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>

<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>

</blockquote></div><br></div>