<div dir="ltr">First run the command I mentioned to ensure openssl can verify the full chain for Yahoo.<div><br></div><div><span style="font-size:12.8px">$ openssl s_client -connect </span><a href="http://www.yahoo.com:443/" target="_blank" style="font-size:12.8px">www.yahoo.com:443</a><span style="font-size:12.8px"> </dev/null</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If that fails at any depth then check the default certificate directory compiled into openssl</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">$ openssl version -d</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If the directory is not /usr/ssl or /usr/ssl/certs then you need to tell openssl to use that directory.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">$ openssl s_client -connect </span><a href="http://www.yahoo.com:443/" target="_blank" style="font-size:12.8px">www.yahoo.com:443</a><span style="font-size:12.8px"> -CApath /usr/ssl/certs </dev/null</span><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If this verifies OK then you have to tell squid to pass the same parameter to openssl with the following config option.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">sslproxy_capath /usr/ssl/certs</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">You also may need to rehash your ssl cert directory.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">This command should spit out the subject hash of the root cert.</span></div><div><span style="font-size:12.8px">$ openssl x509 -in /usr/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem -noout -subject_hash</span></div><div><span style="font-size:12.8px">415660c1</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">You should have a corresponding symlink in the /usr/ssl/certs directory that looks something like this.</span></div><div><span style="font-size:12.8px"><br></span></div><div><div><span style="font-size:12.8px">$ ls -la 415660c1.*</span></div><div><span style="font-size:12.8px">lrwxrwxrwx 1 root root 97 Jul 5 20:27 415660c1.0 -> ../../ca-certificates/extracted/cadir/Verisign_Class_3_Public_Primary_Certification_Authority.pem</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If you don't have a symlink that matches the subject hash then rehash the directory like so as root</span></div><div><span style="font-size:12.8px"># c_rehash /usr/ssl/certs.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If the hash symlink doesn't exist then openssl's verify functions will fail.</span></div><div><span style="font-size:12.8px"><br></span></div><div><br></div><div><span style="font-size:12.8px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 4, 2016 at 12:29 PM, Stanford Prescott <span dir="ltr"><<a href="mailto:stan.prescott@gmail.com" target="_blank">stan.prescott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">That would explain the error if the Verisign Class 3 public root CA were missing. However, our Smoothwall Express OS has all the standard root CAs package found in /usr/ssl/certs. Do I need to tell squid where to find those certs? If so, what config directive would I use for that?<div><br></div><div>Thanks!</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 3, 2016 at 8:05 PM, Bruce Rosenberg <span dir="ltr"><<a href="mailto:bruce.rosenberg.au@gmail.com" target="_blank">bruce.rosenberg.au@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>It looks like you are missing the Verisign Class 3 Public Primary Root cert.</div><div>Notice the certificate chain list below.</div><div>Yahoo correctly send back all intermediate certificates in the TLS handshake so the only certificate you need to make sure squid trusts (via openssl) is the Verisign root.</div><div><br></div><div>You should be able to determine if the openssl client on the squid proxy can verify the complete chain by running the following command on the proxy.</div><div>The important part is that at each step it outputs "verify return: 1" meaning that the certificate at that depth in the chain was successfully verified by it's issuing certificate i.e. the certificate at the previous higher level depth that we have already established we trust.</div><div>The root certificate is automagically verified by virtue of being explicitly trusted by your openssl.</div><div><br></div><div><br></div><div>$ openssl s_client -connect <a href="http://www.yahoo.com:443" target="_blank">www.yahoo.com:443</a> </dev/null ⏎</div><div>CONNECTED(00000003)</div><div>depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority</div><div>verify return:1</div><div>depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5</div><div>verify return:1</div><div>depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4</div><div>verify return:1</div><div>depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., OU = Information Technology, CN = <a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a></div><div>verify return:1</div><div>---</div><div>Certificate chain</div><div> 0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a></div><div> i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4</div><div> 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4</div><div> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5</div><div> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5</div><div> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Thu, Aug 4, 2016 at 9:51 AM, Stanford Prescott <span dir="ltr"><<a href="mailto:stan.prescott@gmail.com" target="_blank">stan.prescott@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Okay, it's not a name of the cert problem.<div><br></div><div>I turned on extra debug info to see what I get when I remove the DONT_VERIFY_PEER flag and tried accessing <a href="https://www.yahoo.com" target="_blank">https://www.yahoo.com</a>. This is what I got in the cache.log. I only see a couple of lines about a certificate error. Sorry this is long but I didn't know what to include so I just included everything for that one access attempt.</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><i>2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D" target="_blank">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</a> (<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a>) vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a>' NOT found</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5B:" target="_blank">10.40.40.110:49732/[:</a>:] ([::]:49732) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=<a href="http://52.34.245.108:443" target="_blank">52.34.245.108:443</a> remote=<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a> FD 14 flags=33 method 3</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access#1</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets</i></div><div><i>2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D" target="_blank">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:49732" target="_blank">10.40.40.0:49732</a>) vs 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D" target="_blank">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:49732" target="_blank">10.40.40.0:49732</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D" target="_blank">10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:49732" target="_blank">10.40.40.0:49732</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://tiles.services.mozilla.com" target="_blank">tiles.services.mozilla.com</a>'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://tiles.services.mozilla.com" target="_blank">tiles.services.mozilla.com</a> <> .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: '<a href="http://tiles.services.mozilla.com" target="_blank">tiles.services.mozilla.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://tiles.services.mozilla.com" target="_blank">tiles.services.mozilla.com</a>'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://tiles.services.mozilla.com" target="_blank">tiles.services.mozilla.com</a> <> .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: '<a href="http://tiles.services.mozilla.com" target="_blank">tiles.services.mozilla.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5B:" target="_blank">10.40.40.110:49732/[:</a>:] ([::]:49732) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:49732/%5B:" target="_blank">10.40.40.110:49732/[:</a>:] ([::]:49732) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a>' found</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1</i></div><div><i>2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match</i></div><div><i>2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong: local=<a href="http://52.34.245.108:443" target="_blank">52.34.245.108:443</a> remote=<a href="http://10.40.40.110:49732" target="_blank">10.40.40.110:49732</a> flags=33</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1</i></div><div><i>2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1</i></div><div><i>2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access#1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:40595/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D" target="_blank">10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:40595" target="_blank">10.40.40.0:40595</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:40595" target="_blank">10.40.40.110:40595</a>' found</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950198</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc</i></div><div><i>2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8 checking fast ACLs</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950ae8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8</i></div><div><i>2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638 query ARP table</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638 query ARP on each interface (128 found)</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface lo</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth2</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth2</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth1</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth1</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638 got address 08:00:27:29:24:4a on eth1</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen</i></div><div><i>2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D" target="_blank">10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</a> (<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a>) vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a>' NOT found</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/%5B:" target="_blank">10.40.40.110:35474/[:</a>:] ([::]:35474) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=<a href="http://98.138.253.109:443" target="_blank">98.138.253.109:443</a> remote=<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a> FD 18 flags=33 method 3</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access#1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D" target="_blank">10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</a> (<a href="http://10.40.40.0:35474" target="_blank">10.40.40.0:35474</a>) vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a>'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a> <> .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: '<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking '<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a>'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a> <> .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: '<a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a>' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a></i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/%5B:" target="_blank">10.40.40.110:35474/[:</a>:] ([::]:35474) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: <a href="http://10.40.40.110:35474/%5B:" target="_blank">10.40.40.110:35474/[:</a>:] ([::]:35474) vs [::]-[::]/[::]</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a>' found</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1</i></div><div><i>2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match</i></div><div><i>2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68</i></div><div><i>2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong: local=<a href="http://98.138.253.109:443" target="_blank">98.138.253.109:443</a> remote=<a href="http://10.40.40.110:35474" target="_blank">10.40.40.110:35474</a> flags=33</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8</i></div><div><i>2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8</i></div></div></blockquote><br></div><div>The web browser error says:</div><div>"Failed to establish a secure connection to (a <a href="http://yahoo.com" target="_blank">yahoo.com</a> IP address was here)"</div><div>and another message of "(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"</div><div>and "Certificate issuer (CA) not known".</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <span dir="ltr"><<a href="mailto:stan.prescott@gmail.com" target="_blank">stan.prescott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks for the info, Alex. That's very helpful about cleaning up my ACLs. Those ACLs are a collection of ACLs that others have suggested I use, but it would be nice to make them less confusing for me.</div><div><br></div><div>With my limited understanding of how sslbump works, the idea for squid to play MITM is that a self-signed cert like squidCA.der is imported to a browser's root CAs. I have left a copy of the self-signed cert named squidCA.pem in the squid's cert directory which only works if squid is told to not verify the peer. When following the instructions how to generate the self-signed cert with openssl, the .pem file must be converted to a .der file for the browser to accept it. It just dawned on me that, could this be related to the fact that the squid self-signed certs are not named the same?</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 08/03/2016 08:45 AM, Stanford Prescott wrote:<br>
<br>
> ssl_bump none localhostgreen<br>
<span>> ssl_bump peek tls_s1_connect all<br>
> ssl_bump splice tls_s2_client_hello tls_to_splice<br>
> ssl_bump stare tls_s2_client_hello all<br>
> ssl_bump bump tls_s3_server_hello all<br>
<br>
</span>AFAICT, the above is too complex. You can simplify it with:<br>
<br>
ssl_bump splice localhostgreen<br>
ssl_bump peek tls_s1_connect<br>
ssl_bump splice tls_to_splice<br>
ssl_bump stare all<br>
ssl_bump bump all<br>
<br>
and, after polishing your ACLs a little, possibly even with:<br>
<br>
ssl_bump splice transactions_to_splice<br>
ssl_bump peek tls_s1_connect<br>
ssl_bump stare all<br>
ssl_bump bump all<br>
<br>
where transactions_to_splice is "localhostgreen or (tls_s2_client_hello<br>
and tls_to_splice)".<br>
<br>
<br>
As for your original question, I recommend figuring out why Squid cannot<br>
verify the peer. For example, your setup might be missing fresh<br>
certificates for some well-known Root CAs. I do not know a good way to<br>
figure out why peer verification does not work, but analyzing cache.log<br>
with high-enough debugging level should be doable, especially if you can<br>
reproduce the problem using a single transaction:<br>
<br>
<a href="http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction</a><br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br></div></div>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>