<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0cm;

        mso-margin-bottom-alt:auto;

        margin-left:0cm;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;}

span.EmailStyle18

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        mso-fareast-language:EN-US;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:72.0pt 72.0pt 72.0pt 72.0pt;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-CA" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Tried both and individually; nothing doing.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I keep getting from Squid a TCP_MISS/503 to which the client page states:<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">(54) Connection reset by peer (TLS code: SQUID_ERR_SSL_HANDSHAKE)<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Handshake with SSL server failed: [No Error]<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I’m currently using:

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Squid Cache version 3.5.19<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I just tried substituting the service-name (service.foo.com) in my /etc/hosts, and define cache_peer to connect to service.foo.com,

 and even that doesn’t work.  It appears that the cache_peer directive, when SSL is enabled does not transmit SNI.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I did however, manage to get it working to some degree using ssl_bump (<a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a>)

 using peek, however, I’m also doing URI filtering with squid, and this defeats the purpose to URI filtering as it only checks the requested SNI header from the end-user, and transposes the connection to the cache_peer.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">So I’m thinking that the absence of SNI on cache_peer is a ‘bug’ or a ‘missing feature’, which I’m guessing my next viable option is

 to see if I can bridge the SNI gap with something like STUNNEL.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Anyone else have any thoughts?<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Hector Chan [mailto:hectorchan@gmail.com]

<br>

<b>Sent:</b> June 22, 2016 1:09 AM<br>

<b>To:</b> Kristopher Lalletti <kristopher@lalletti.ca><br>

<b>Cc:</b> squid-users@lists.squid-cache.org<br>

<b>Subject:</b> Re: [squid-users] cache_peer directive with SNI<o:p></o:p></span></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt">Have you looked at the options forceddomain and ssldomain under the cache_peer directive?  Those may be just what you need.<br>

<br>

<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal">On Tue, Jun 21, 2016 at 8:14 PM, Kristopher Lalletti <<a href="mailto:kristopher@lalletti.ca" target="_blank">kristopher@lalletti.ca</a>> wrote:<o:p></o:p></p>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">

<p class="MsoNormal">Hi All,<br>

<br>

I'm replacing an Apache setup as a reverse-proxy with Squid v3.5, and I've hit a small snag.<br>

<br>

Basically, I need to tell squid to pass the proper SSL SNI name to the backend webserver which is accessed via SSL, and naturally, the SSL SNI service-name (<a href="http://service.foo.com" target="_blank">service.foo.com</a>) is not the server-hostname (<a href="http://webserver1.foo.com" target="_blank">webserver1.foo.com</a>),

 because I've got 3 servers providing for that service-name.<br>

<br>

Valid Request to my backend server:<br>

curl --verbose --resolve service.foo.com:10.10.10.10 <a href="https://service.foo.com/" target="_blank">

https://service.foo.com/</a><br>

<br>

Bad requests to my backend server:<br>

curl --verbose --header 'Host: <a href="http://service.foo.com" target="_blank">service.foo.com</a>'

<a href="https://webserver1.foo.com/" target="_blank">https://webserver1.foo.com/</a><br>

curl --verbose <a href="https://webserver1.foo.com/" target="_blank">https://webserver1.foo.com/</a><br>

curl --verbose <a href="https://10.10.10.10/" target="_blank">https://10.10.10.10/</a><br>

<br>

I've looked at the configuration that was generated for the cached_peer, and it came to this:<br>

<br>

cache_peer <a href="http://webserver1.foo.com" target="_blank">webserver1.foo.com</a> parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_webserver1<br>

<br>

Unfortunately, cached_peer doesn't seem to have any directives about this, which leads me to believe there may be a magic SSL Squid ACL that would tell the cache_peer to transpose the requested hostname as part of the SSL SNI hello message, or something like

 this...<br>

<br>

Any advice/orientation to approach the problem would be much appreciated.<br>

<br>

Cheers<br>

Kris<br>

_______________________________________________<br>

squid-users mailing list<br>

<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>

<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></p>

</blockquote>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

</div>

</body>

</html>