<div dir="ltr">Yes, you are right. I ran into the same problem as you did, and now I remember how I got it to work. I manually patched the version of squid I was using to send SNI. Let me if you are interested in going that route. If I remember right, it was just a 1 to 3 line-patch. <br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 23, 2016 at 5:31 AM, Kristopher Lalletti <span dir="ltr"><<a href="mailto:kristopher@lalletti.ca" target="_blank">kristopher@lalletti.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-CA">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Tried both and individually; nothing doing.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I keep getting from Squid a TCP_MISS/503 to which the client page states:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">(54) Connection reset by peer (TLS code: SQUID_ERR_SSL_HANDSHAKE)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Handshake with SSL server failed: [No Error]<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I’m currently using:
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Squid Cache version 3.5.19<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I just tried substituting the service-name (<a href="http://service.foo.com" target="_blank">service.foo.com</a>) in my /etc/hosts, and define cache_peer to connect to <a href="http://service.foo.com" target="_blank">service.foo.com</a>,
and even that doesn’t work. It appears that the cache_peer directive, when SSL is enabled does not transmit SNI.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I did however, manage to get it working to some degree using ssl_bump (<a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice" target="_blank">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a>)
using peek, however, I’m also doing URI filtering with squid, and this defeats the purpose to URI filtering as it only checks the requested SNI header from the end-user, and transposes the connection to the cache_peer.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">So I’m thinking that the absence of SNI on cache_peer is a ‘bug’ or a ‘missing feature’, which I’m guessing my next viable option is
to see if I can bridge the SNI gap with something like STUNNEL.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Anyone else have any thoughts?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" lang="EN-US"> Hector Chan [mailto:<a href="mailto:hectorchan@gmail.com" target="_blank">hectorchan@gmail.com</a>]
<br>
<b>Sent:</b> June 22, 2016 1:09 AM<br>
<b>To:</b> Kristopher Lalletti <<a href="mailto:kristopher@lalletti.ca" target="_blank">kristopher@lalletti.ca</a>><br>
<b>Cc:</b> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] cache_peer directive with SNI<u></u><u></u></span></p><div><div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Have you looked at the options forceddomain and ssldomain under the cache_peer directive? Those may be just what you need.<br>
<br>
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Jun 21, 2016 at 8:14 PM, Kristopher Lalletti <<a href="mailto:kristopher@lalletti.ca" target="_blank">kristopher@lalletti.ca</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Hi All,<br>
<br>
I'm replacing an Apache setup as a reverse-proxy with Squid v3.5, and I've hit a small snag.<br>
<br>
Basically, I need to tell squid to pass the proper SSL SNI name to the backend webserver which is accessed via SSL, and naturally, the SSL SNI service-name (<a href="http://service.foo.com" target="_blank">service.foo.com</a>) is not the server-hostname (<a href="http://webserver1.foo.com" target="_blank">webserver1.foo.com</a>),
because I've got 3 servers providing for that service-name.<br>
<br>
Valid Request to my backend server:<br>
curl --verbose --resolve service.foo.com:10.10.10.10 <a href="https://service.foo.com/" target="_blank">
https://service.foo.com/</a><br>
<br>
Bad requests to my backend server:<br>
curl --verbose --header 'Host: <a href="http://service.foo.com" target="_blank">service.foo.com</a>'
<a href="https://webserver1.foo.com/" target="_blank">https://webserver1.foo.com/</a><br>
curl --verbose <a href="https://webserver1.foo.com/" target="_blank">https://webserver1.foo.com/</a><br>
curl --verbose <a href="https://10.10.10.10/" target="_blank">https://10.10.10.10/</a><br>
<br>
I've looked at the configuration that was generated for the cached_peer, and it came to this:<br>
<br>
cache_peer <a href="http://webserver1.foo.com" target="_blank">webserver1.foo.com</a> parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_webserver1<br>
<br>
Unfortunately, cached_peer doesn't seem to have any directives about this, which leads me to believe there may be a magic SSL Squid ACL that would tell the cache_peer to transpose the requested hostname as part of the SSL SNI hello message, or something like
this...<br>
<br>
Any advice/orientation to approach the problem would be much appreciated.<br>
<br>
Cheers<br>
Kris<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div></div>