<div dir="ltr">Okay, it's not a name of the cert problem.<div><br></div><div>I turned on extra debug info to see what I get when I remove the DONT_VERIFY_PEER flag and tried accessing <a href="https://www.yahoo.com">https://www.yahoo.com</a>. This is what I got in the cache.log. I only see a couple of lines about a certificate error. Sorry this is long but I didn't know what to include so I just included everything for that one access attempt.</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><i>2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</a> (<a href="http://10.40.40.110:49732">10.40.40.110:49732</a>) vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732">10.40.40.110:49732</a>' NOT found</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[:">10.40.40.110:49732/[:</a>:] ([::]:49732) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=<a href="http://52.34.245.108:443">52.34.245.108:443</a> remote=<a href="http://10.40.40.110:49732">10.40.40.110:49732</a> FD 14 flags=33 method 3</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access#1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:49732">10.40.40.0:49732</a>) vs 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:49732">10.40.40.0:49732</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:49732">10.40.40.0:49732</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://tiles.services.mozilla.com">tiles.services.mozilla.com</a>'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://tiles.services.mozilla.com">tiles.services.mozilla.com</a> <> .<a href="http://akamaihd.net">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: '<a href="http://tiles.services.mozilla.com">tiles.services.mozilla.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://akamaihd.net">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://tiles.services.mozilla.com">tiles.services.mozilla.com</a>'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://tiles.services.mozilla.com">tiles.services.mozilla.com</a> <> .<a href="http://wellsfargo.com">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: '<a href="http://tiles.services.mozilla.com">tiles.services.mozilla.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://wellsfargo.com">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[:">10.40.40.110:49732/[:</a>:] ([::]:49732) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/[:">10.40.40.110:49732/[:</a>:] ([::]:49732) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match</i></div><div><i>2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong: local=<a href="http://52.34.245.108:443">52.34.245.108:443</a> remote=<a href="http://10.40.40.110:49732">10.40.40.110:49732</a> flags=33</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1</i></div><div><i>2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access#1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]">10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:40595">10.40.40.0:40595</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:40595">10.40.40.110:40595</a>' found</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950198</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc</i></div><div><i>2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8 checking fast ACLs</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950ae8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638 query ARP table</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638 query ARP on each interface (128 found)</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface lo</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth2</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth2</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth1</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth1</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638 got address 08:00:27:29:24:4a on eth1</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]">10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</a> (<a href="http://10.40.40.110:35474">10.40.40.110:35474</a>) vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474">10.40.40.110:35474</a>' NOT found</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/[:">10.40.40.110:35474/[:</a>:] ([::]:35474) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=<a href="http://98.138.253.109:443">98.138.253.109:443</a> remote=<a href="http://10.40.40.110:35474">10.40.40.110:35474</a> FD 18 flags=33 method 3</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access#1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]">10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:35474">10.40.40.0:35474</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://www.yahoo.com">www.yahoo.com</a>'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://www.yahoo.com">www.yahoo.com</a> <> .<a href="http://akamaihd.net">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: '<a href="http://www.yahoo.com">www.yahoo.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://akamaihd.net">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://www.yahoo.com">www.yahoo.com</a>'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://www.yahoo.com">www.yahoo.com</a> <> .<a href="http://wellsfargo.com">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: '<a href="http://www.yahoo.com">www.yahoo.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://wellsfargo.com">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/[:">10.40.40.110:35474/[:</a>:] ([::]:35474) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/[:">10.40.40.110:35474/[:</a>:] ([::]:35474) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match</i></div><div><i>2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong: local=<a href="http://98.138.253.109:443">98.138.253.109:443</a> remote=<a href="http://10.40.40.110:35474">10.40.40.110:35474</a> flags=33</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div></div></blockquote><br></div><div>The web browser error says:</div><div>"Failed to establish a secure connection to (a <a href="http://yahoo.com">yahoo.com</a> IP address was here)"</div><div>and another message of "(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"</div><div>and "Certificate issuer (CA) not known".</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <span dir="ltr"><<a href="mailto:stan.prescott@gmail.com" target="_blank">stan.prescott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks for the info, Alex. That's very helpful about cleaning up my ACLs. Those ACLs are a collection of ACLs that others have suggested I use, but it would be nice to make them less confusing for me.</div><div><br></div><div>With my limited understanding of how sslbump works, the idea for squid to play MITM is that a self-signed cert like squidCA.der is imported to a browser's root CAs. I have left a copy of the self-signed cert named squidCA.pem in the squid's cert directory which only works if squid is told to not verify the peer. When following the instructions how to generate the self-signed cert with openssl, the .pem file must be converted to a .der file for the browser to accept it. It just dawned on me that, could this be related to the fact that the squid self-signed certs are not named the same?</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 08/03/2016 08:45 AM, Stanford Prescott wrote:<br>
<br>
> ssl_bump none localhostgreen<br>
<span>> ssl_bump peek tls_s1_connect all<br>
> ssl_bump splice tls_s2_client_hello tls_to_splice<br>
> ssl_bump stare tls_s2_client_hello all<br>
> ssl_bump bump tls_s3_server_hello all<br>
<br>
</span>AFAICT, the above is too complex. You can simplify it with:<br>
<br>
ssl_bump splice localhostgreen<br>
ssl_bump peek tls_s1_connect<br>
ssl_bump splice tls_to_splice<br>
ssl_bump stare all<br>
ssl_bump bump all<br>
<br>
and, after polishing your ACLs a little, possibly even with:<br>
<br>
ssl_bump splice transactions_to_splice<br>
ssl_bump peek tls_s1_connect<br>
ssl_bump stare all<br>
ssl_bump bump all<br>
<br>
where transactions_to_splice is "localhostgreen or (tls_s2_client_hello<br>
and tls_to_splice)".<br>
<br>
<br>
As for your original question, I recommend figuring out why Squid cannot<br>
verify the peer. For example, your setup might be missing fresh<br>
certificates for some well-known Root CAs. I do not know a good way to<br>
figure out why peer verification does not work, but analyzing cache.log<br>
with high-enough debugging level should be doable, especially if you can<br>
reproduce the problem using a single transaction:<br>
<br>
<a href="http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction</a><br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>