<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Arial Rounded MT Bold";
panose-1:2 15 7 4 3 5 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
.MsoPapDefault
{mso-style-type:export-only;
text-align:right;
direction:rtl;
unicode-bidi:embed;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What version of squid is provided on pfsense and what version are you using?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Eliezer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'>----<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'><a href="http://ngtech.co.il/lmgtfy/"><span style='color:#0563C1'>Eliezer Croitoru</span></a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: eliezer@ngtech.co.il<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=183 height=69 id="Picture_x0020_1" src="cid:image001.png@01D1DACE.40E36EA0"><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> squid-users [mailto:squid-users-bounces@lists.squid-cache.org] <b>On Behalf Of </b>Yi?itcan U?UM<br><b>Sent:</b> Sunday, July 10, 2016 3:49 PM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> [squid-users] HTTPS bump doesn't work with websites that require SNI<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:9.5pt'>Hello there. We're using pfsense and squid-proxy to bump https connections between some of our machines and www. The setup seems to works fine for most of the https sites, but it doesn't work for the others.</span><o:p></o:p></p><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>One example to this sites is "<a href="http://docs.docker.com/" target="_blank">docs.docker.com</a>". Even though we can connect to "<a href="http://docker.com/" target="_blank">docker.com</a>", we can't connect to "<a href="http://docs.docker.com/" target="_blank">docs.docker.com</a>".<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>The error we get is:<o:p></o:p></span></p></div><div><pre style='white-space:pre-wrap'><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#1E1E1E'>(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)<o:p></o:p></span></pre><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>Upon further investigation we found out that this happens because some sites require SNI to supply correct SSL certificate.<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>You can test this out with:<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>-------------------------------<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>openssl s_client -connect <a href="http://docs.docker.com:443/" target="_blank">docs.docker.com:443</a> -> ERROR<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:</span><span style='font-size:9.5pt'><o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>-------------------------------</span><span style='font-size:9.5pt'><o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>openssl s_client -connect <a href="http://docs.docker.com:443/" target="_blank">docs.docker.com:443</a> -servername <a href="http://docs.docker.com/" target="_blank">docs.docker.com</a> -> Works<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>--------------------------------<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1E1E1E'>Squid seems to make https request without the SNI. How can we configure Squid to use SNI? Thanks.<o:p></o:p></span></p></div></div></div></body></html>