<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><div data-crea="font-wrapper" style="font-family: Tahoma; font-size: 16px; direction: ltr">May I ask if you are Intercepting the connections or in your setup you define/configure in the browser\client the proxy settings?<br><br>Eliezer<br><div><div data-crea="font-wrapper" style="font-family: Tahoma; font-size: 16px; direction: ltr"><br>----<br>Eliezer Croitoru<br>Linux System Administrator<br>Mobile+WhatsApp: +972-5-28704261<br>Email: eliezer@ngtech.co.il<br><img id="ngtech-signature-logo.png_0.6865162723420765" src="cid:fa90c3aaf18c6b0f45127250b01b3773" width="255" height="97"><br><br></div></div><br><br><div data-anchor="reply-title">On Tue, Oct 11, 2016 at 08:10 PM, - - <alex@imaginers.org> wrote:</div><blockquote><div>Dear all,<br><br>currently I try to configure peek-and-splice on Centos7 and squid4. I have a<br>running config for Centos6.6 and squid 3.5.18.<br><br>No matter what I try i can't get squid4 to splice certain sites and to<br>bump/terminate the rest. My config is as follows:<br><br>acl sni_exclusions ssl::server_name .google.com<br>acl sni_exclusions ssl::server_name .google.de<br><br>acl tcp_level at_step SslBump1<br>acl client_hello_peeked at_step SslBump2<br>ssl_bump peek tcp_level all<br>ssl_bump splice client_hello_peeked sni_exclusions<br>ssl_bump bump all<br><br>if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are<br>terminated, if I do a ssl_bump splice all, all https traffic is going through.<br><br>the log when a device connects to an allowed site looks is below, if I accept<br>the self generated certificate access the webpage is allowed. If i do the same<br>with a site not allowed i'll get redirected to the deny_info page after<br>accepting the certificate. So everything working as desired besides the<br>certificate warning for "spliced" websites. I'm using the squid4 build from<br><a target="_blank" href="http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid_Beta_release">http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid_Beta_release</a>.<br><br>Thanks in advance for any hint,<br>Alex<br><br>squid version:<br>squid -v<br>Squid Cache: Version 4.0.12<br>Service Name: squid<br>configure options: '--build=x86_64-redhat-linux-gnu'<br>'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'<br>'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'<br>'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'<br>'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'<br>'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'<br>'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'<br>'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'<br>'--with-logdir=$(localstatedir)/log/squid'<br>'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'<br>'--enable-follow-x-forwarded-for' '--enable-auth'<br>'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'<br>'--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory'<br>'--enable-auth-negotiate=kerberos,wrapper'<br>'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota'<br>'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'<br>'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'<br>'--enable-ident-lookups' '--enable-linux-netfilter'<br>'--enable-removal-policies=heap,lru' '--enable-snmp'<br>'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'<br>'--enable-security-cert-generators' '--enable-security-cert-validators'<br>'--enable-icmp' '--with-aio' '--with-default-user=squid'<br>'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads'<br>'--with-included-ltdl' '--disable-arch-native' '--enable-ecap'<br>'--without-nettle' 'build_alias=x86_64-redhat-linux-gnu'<br>'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall<br>-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong<br>--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'<br>'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2<br>-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4<br>-grecord-gcc-switches -m64 -mtune=generic -fPIC'<br>'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'<br>--enable-ltdl-convenience<br><br>cache.log:<br>2016/10/11 16:54:57.126 kid1| 33,5| client_side.cc(1367) parseHttpRequest:<br>Prepare absolute URL from intercept<br>2016/10/11 16:54:57.126 kid1| 33,5| client_side.cc(2150) clientParseRequests:<br>local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33: done parsing a<br>request<br>2016/10/11 16:54:57.126 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x2b008e0 add<br>request 1 0x2b06280*3<br>2016/10/11 16:54:57.126 kid1| 33,5| Http1Server.cc(181) buildHttpRequest:<br>normalize 1 Host header using 216.58.211.3:443<br>2016/10/11 16:54:57.126 kid1| 33,3| client_side.cc(643) clientSetKeepaliveFlag:<br>http_ver = HTTP/1.1<br>2016/10/11 16:54:57.126 kid1| 33,3| client_side.cc(644) clientSetKeepaliveFlag:<br>method = CONNECT<br>2016/10/11 16:54:57.126 kid1| 33,3| http/Stream.h(139) mayUseConnection: This<br>0x2b06280 marked 1<br>2016/10/11 16:54:57.127 kid1| 33,3| client_side.cc(2163) clientParseRequests:<br>Not parsing new requests, as this request may need the connection<br>2016/10/11 16:54:57.127 kid1| 33,5| client_side.cc(3113) switchToHttps:<br>converting local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33 to SSL<br>2016/10/11 16:54:57.127 kid1| 33,4| ServerBump.cc(27) ServerBump: will peek at<br>216.58.211.3:443<br>2016/10/11 16:54:57.127 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall<br>ConnStateData::requestTimeout constructed, this=0x2b00b70 [call688]<br>2016/10/11 16:54:57.127 kid1| 33,4| Server.cc(90) readSomeData:<br>local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33: reading<br>request...<br>2016/10/11 16:54:57.127 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall<br>Server::doClientRead constructed, this=0x2b00c00 [call689]<br>2016/10/11 16:54:57.131 kid1| 33,5| AsyncCall.cc(93) ScheduleCall:<br>IoCallback.cc(135) will call Server::doClientRead(local=216.58.211.3:443<br>remote=10.248.0.8:59837 FD 25 flags=33, data=0x2b00898) [call689]<br>2016/10/11 16:54:57.131 kid1| 33,5| AsyncCallQueue.cc(55) fireNext: entering<br>Server::doClientRead(local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25<br>flags=33, data=0x2b00898)<br>2016/10/11 16:54:57.131 kid1| 33,5| AsyncCall.cc(38) make: make call<br>Server::doClientRead [call689]<br>2016/10/11 16:54:57.131 kid1| 33,5| AsyncJob.cc(123) callStart: Http1::Server<br>status in: [ job31]<br>2016/10/11 16:54:57.131 kid1| 33,5| Server.cc(104) doClientRead:<br>local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33<br>2016/10/11 16:54:57.131 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall<br>ConnStateData::requestTimeout constructed, this=0x2b04940 [call690]<br>2016/10/11 16:54:57.131 kid1| 33,3| Pipeline.cc(35) front: Pipeline 0x2b008e0<br>front 0x2b06280*2<br>2016/10/11 16:54:57.131 kid1| 33,5| client_side.cc(3232)<br>httpsSslBumpStep2AccessCheckDone: Answer: ALLOWED kind:5<br>2016/10/11 16:54:57.131 kid1| 33,3| Pipeline.cc(35) front: Pipeline 0x2b008e0<br>front 0x2b06280*3<br>2016/10/11 16:54:57.132 kid1| 33,5| client_side.cc(2577) httpsCreate: will<br>negotate SSL on local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33<br>2016/10/11 16:54:57.132 kid1| 33,5| AsyncJob.cc(153) callEnd: Http1::Server<br>status out: [ job31]<br>2016/10/11 16:54:57.132 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving<br>Server::doClientRead(local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25<br>flags=33, data=0x2b00898)<br>2016/10/11 16:54:57.182 kid1| 33,3| client_side.cc(4000) unpinConnection:<br>2016/10/11 16:54:57.182 kid1| 33,3| client_side.cc(3833) pinNewConnection:<br>local=10.4.38.62:26120 remote=216.58.211.3:443 FD 26 flags=1<br>2016/10/11 16:54:57.182 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall<br>ConnStateData::clientPinnedConnectionClosed constructed, this=0x2b3e750<br>[call704]<br>2016/10/11 16:54:57.182 kid1| 33,3| AsyncCall.cc(26) AsyncCall: The AsyncCall<br>ConnStateData::clientPinnedConnectionRead constructed, this=0x2b262b0 [call705]<br>2016/10/11 16:54:57.182 kid1| 33,5| client_side.cc(3361) httpsPeeked: bumped<br>HTTPS server: 216.58.211.3<br>2016/10/11 16:54:57.182 kid1| 33,3| Pipeline.cc(44) terminateAll: Pipeline<br>0x2b008e0 notify(0) 0x2b06280*3<br>2016/10/11 16:54:57.182 kid1| 33,3| Pipeline.cc(57) popMe: Pipeline 0x2b008e0<br>drop 0x2b06280*3<br>2016/10/11 16:54:57.183 kid1| 33,3| client_side_request.cc(270)<br>~ClientHttpRequest: httpRequestFree: 216.58.211.3:443<br>2016/10/11 16:54:57.183 kid1| 33,5| client_side.cc(383) logRequest: logging<br>half-baked transaction: 216.58.211.3:443<br>2016/10/11 16:54:57.183 kid1| 33,9| client_side.cc(387) logRequest:<br>clientLogRequest: al.url='216.58.211.3:443'<br>2016/10/11 16:54:57.183 kid1| 33,9| client_side.cc(397) logRequest:<br>clientLogRequest: http.code='200'<br>2016/10/11 16:54:57.183 kid1| 33,5| client_side.cc(3027) getSslContextStart:<br>Generating SSL certificate for <a target="_blank" href="http://www.google.de">www.google.de</a><br>2016/10/11 16:54:57.183 kid1| 33,5| client_side.cc(3346) doPeekAndSpliceStep:<br>PeekAndSplice mode, proceed with client negotiation. Currrent state:SSLv2/v3<br>read client hello A<br>2016/10/11 16:54:57.183 kid1| Error negotiating SSL connection on FD 25:<br>error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)<br>2016/10/11 16:54:57.209 kid1| 33,5| AsyncCall.cc(93) ScheduleCall: comm.cc(736)<br>will call ConnStateData::connStateClosed(FD -1, data=0x2b00898) [call685]<br>2016/10/11 16:54:57.209 kid1| 33,5| AsyncCallQueue.cc(55) fireNext: entering<br>ConnStateData::connStateClosed(FD -1, data=0x2b00898)<br>2016/10/11 16:54:57.209 kid1| 33,5| AsyncCall.cc(38) make: make call<br>ConnStateData::connStateClosed [call685]<br>2016/10/11 16:54:57.209 kid1| 33,5| AsyncJob.cc(123) callStart: Http1::Server<br>status in: [ job31]<br>2016/10/11 16:54:57.209 kid1| 33,2| client_side.cc(586) swanSong:<br>local=216.58.211.3:443 remote=10.248.0.8:59837 flags=33<br>2016/10/11 16:54:57.209 kid1| 33,3| client_side.cc(4000) unpinConnection:<br>local=10.4.38.62:26120 remote=216.58.211.3:443 FD 26 flags=1<br>2016/10/11 16:54:57.209 kid1| 33,5| AsyncCall.cc(56) cancel: will not call<br>ConnStateData::clientPinnedConnectionClosed [call704] because<br>comm_remove_close_handler<br>2016/10/11 16:54:57.209 kid1| 33,3| AsyncCall.cc(56) cancel: will not call<br>ConnStateData::clientPinnedConnectionRead [call705] because comm_read_cancel<br>2016/10/11 16:54:57.209 kid1| 33,3| AsyncCall.cc(56) cancel: will not call<br>ConnStateData::clientPinnedConnectionRead [call705] also because<br>comm_read_cancel<br>2016/10/11 16:54:57.209 kid1| 33,3| client_side.cc(614) ~ConnStateData:<br>local=216.58.211.3:443 remote=10.248.0.8:59837 flags=33<br>2016/10/11 16:54:57.209 kid1| 33,4| ServerBump.cc(46) ~ServerBump: destroying<br>2016/10/11 16:54:57.209 kid1| 33,4| ServerBump.cc(48) ~ServerBump:<br>e:=sp2XDIV/0x2b04270*1<br>2016/10/11 16:54:57.209 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving<br>ConnStateData::connStateClosed(FD -1, data=0x2b00898)<br>_______________________________________________<br>squid-users mailing list<br><a target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br><a target="_blank" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></div></blockquote></div></body></html>