<div dir="ltr">Good idea Anthony. <div><br></div><div>Here's what I found.</div><div><br></div><div>On the squid server when I use the following command to monitor a call to <a href="https://www.google.com">https://www.google.com</a> </div><div><br></div><div><p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">tcpdump -i eth0 -vv 'port 443'</p><div><br></div>I get the following:</div><div><br></div><div><p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">17:32:56.373772 IP (tos 0x0, ttl 64, id 33502, offset 0, flags [DF], proto TCP (6), length 60)</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)"> d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [S], cksum 0x62f0 (correct), seq 3198653455, win 14600, options [mss 1460,sackOK,TS val 530978513 ecr 0,nop,wscale 7], length 0</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">17:32:56.390214 IP (tos 0x0, ttl 42, id 42485, offset 0, flags [none], proto TCP (6), length 60)</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)"> qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [S.], cksum 0x40d0 (correct), seq 558417168, ack 3198653456, win 42540, options [mss 1380,nop,nop,TS val 953915655 ecr 530978513,nop,wscale 7], length 0</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">17:32:56.390423 IP (tos 0x0, ttl 64, id 33503, offset 0, flags [DF], proto TCP (6), length 52)</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)"> d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [.], cksum 0x11f5 (correct), seq 1, ack 1, win 115, options [nop,nop,TS val 530978529 ecr 953915655], length 0</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">17:32:56.605977 IP (tos 0x0, ttl 64, id 33504, offset 0, flags [DF], proto TCP (6), length 329)</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)"> d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [P.], cksum 0x6c5a (incorrect -> 0xc57a), seq 1:278, ack 1, win 115, options [nop,nop,TS val 530978745 ecr 953915655], length 277</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">17:32:56.622191 IP (tos 0x0, ttl 42, id 42578, offset 0, flags [none], proto TCP (6), length 52)</p>
<p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)"> qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [.], cksum 0x0e3e (correct), seq 1, ack 278, win 341, options [nop,nop,TS val 953915887 ecr 530978745], length 0</p></div><div><br></div><div>but when I monitor on the non-stand https port (8184) that I'm trying to connect to I do not see any traffic at all. So this leads me to believe that squid is not actually trying to make the call on the client's behalf.</div><div><br></div><div>So I'm feeling a bit lost. </div><div><br></div><div>I've upgraded to 3.5.11.</div><div><br></div><div>The only change I made to the default /etc/squid/squid.conf is to add the two non stand https ports that I need to connect to via:</div><div><br></div><div><p style="margin:0px;font-size:13px;line-height:normal;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">acl SSL_ports port 443 8184 8185</p><br>Is there anyway to get more logging out of squid? I tried adding debug_option ALL to the squid.conf but didn't see any more logging.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 30, 2015 at 10:59 AM, Antony Stone <span dir="ltr"><<a href="mailto:Antony.Stone@squid.open.source.it" target="_blank">Antony.Stone@squid.open.source.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Monday 30 November 2015 at 18:53:54, Bart Spedden wrote:<br>
<br>
> I can successfully connect as long as I don't use squid for either 1 way or<br>
> 2 way TLS connections. I've also successfully connect via curl. So, I feel<br>
> like the site's certs are working well. I could be totally off base here<br>
> but my interpretation of the the 503 (service unavailable) is that squid is<br>
> timing out on tls handshake? But what is weird is that when using squid I<br>
> can successfully connect to google using https. So, that is what makes me<br>
> wonder if it has something to do with the non-standard https port?<br>
<br>
</span>If it's a timeout, you should be able to see this with a standard wireshark /<br>
tcpdump packet capture (no SSL inspection necessary) on your external-facing<br>
router (or anywhere else which is a common path both when going direct from<br>
the client, and via Squid).<br>
<br>
Comparing the two (even though you can't decode the content of the packets)<br>
may well give a clue as to what's going on differently between the two types of<br>
connection.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
Antony.<br>
<br>
--<br>
Users don't know what they want until they see what they get.<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><table border="0" cellpadding="2" cellspacing="1" style="font-family:Calibri;width:800px;min-height:97px"><tbody><tr><td style="vertical-align:top;width:557px"><big><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma">Bart Spedden<small> </small> | Senior Developer<br></span></big></font></big></td></tr><tr><td style="vertical-align:top"><big><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"><span style="color:rgb(51,51,255)"></span><a style="color:rgb(34,34,34)">+1.720.210.7041</a> | </span></big></font><span style="font-size:13px"><font color="#0433ff"><u style="font-family:Cambria;text-align:-webkit-auto"><span style="font-family:Tahoma"><a href="mailto:bart.spedden@3sharecorp.com" style="color:rgb(17,85,204)" target="_blank">bart.spedden@3sharecorp.com</a><br></span></u></font></span></big></td></tr><tr><td style="vertical-align:top;width:557px;min-height:0px"><big><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"><big><span style="color:rgb(0,0,51);font-weight:bold"><br>3</span><span style="color:rgb(0,0,153)"><small><small> </small></small><span style="color:rgb(51,153,204)">|</span><small style="color:rgb(0,0,51)"><small> </small></small><span style="color:rgb(0,0,51)">S</span><small style="color:rgb(0,0,51)"><small> </small></small><span style="color:rgb(0,0,51)">H</span><small style="color:rgb(0,0,51)"><small> </small></small><span style="color:rgb(0,0,51)">A</span><small style="color:rgb(0,0,51)"><small> </small></small><span style="color:rgb(0,0,51)">R</span><small style="color:rgb(0,0,51)"><small> </small></small><span style="color:rgb(0,0,51)">E</span></span></big> | <span style="font-style:italic">Adobe Digital Marketing Experts</span> | </span></big></font><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"><span style="color:red"><span style="color:rgb(51,153,204)">An Adobe</span><sup style="color:rgb(51,153,204)">® </sup><span style="color:rgb(51,153,204)"> Business Plus Level Solution Partner</span></span></span></big></font><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"></span></big></font><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"></span></big></font><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"></span></big></font></big></td></tr><tr><td style="vertical-align:top;width:557px;min-height:0px"><big><font size="-1" style="color:rgb(51,51,51)"><big><span style="font-family:Tahoma"></span></big></font></big><font size="-1" style="color:rgb(51,51,51)"><span style="font-family:Tahoma"><big>Consulting | Training | Remote Operations Management<a href="http://www.3sharecorp.com/en/services/rom.html" target="_blank"><br></a></big></span></font><br style="color:rgb(51,51,51);font-family:Tahoma;font-size:11px"><a href="http://www.3sharecorp.com/en/services/rom.html" style="color:rgb(17,85,204);font-family:Tahoma;font-size:11px" target="_blank"><img height="120" width="600" src="cid:3973B1E4-B11B-4F84-BDF8-09090D4D2A1D@attlocal.net"></a><font size="-1" style="color:rgb(51,51,51)"><span style="font-family:Tahoma"><big><br><a href="http://www.3sharecorp.com/en/services/rom.html" target="_blank"> </a></big></span></font></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>