<html>
<head>
<meta http-equiv="content-type" content: text/html; charset=utf-8>
</head>
<body>
Great Mister !<br>
<br>
Its working now by adding:<br>
<pre>url_rewrite_access deny CONNECT<br>
<br>
<br>
Your "url_redirect_access deny CONNECT" gave me error<br>
/etc/squid/squid.conf:102 unrecognized: 'url_redirect_access'<br>
<br>
Thank you very very much. My problem solved now and everything's running
fine.<br>
</pre><br>
<br>
<span style="color: gray;">05/31/17 16:14:59, Amos Jeffries <<a
href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:</span><br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204);margin: 0 0 0
0.8ex;padding: 1ex 0 0 1ex;">On 31/05/17 20:15, Andi wrote:<br>
> Squid 3.5.25 + Squidclamav(c-icap) + SquidGuard<br>
> Here are the logs with SSL_ERROR_RX_RECORD_TOO_LONG in Firefox by <br>
> debug_options ALL,1 11,2 and 61,5<br>
> <a
href="https://mega.nz/#!dIdAkYra!aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk">https://mega.nz/#!dIdAkYra!aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk</a> <br>
> <<a
href="https://mega.nz/#%21dIdAkYra%21aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk">https://mega.nz/#%21dIdAkYra%21aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk</a>><br>
><br>
> Here the squid.conf & squidguard.conf<br>
> <a
href="https://pastebin.com/v2LA8CcR">https://pastebin.com/v2LA8CcR</a><br>
><br>
<br>
I see your SG is trying to redirect HTTPS tunnels (which are essentially
<br>
collections of multiple transactions) to a single HTTP plain-text page <br>
URL (singular). There is a bug in Squid that is dutifully (but wrongly)
<br>
sending that response back as-is to the client. But since this is just <br>
an intercepted TCP connection at this point the browser just mistakes it
<br>
for bogus TLS handshake bytes.<br>
I think I saw some patches from Christos fixing some of this a while <br>
back, but do not recall if they made it into Squid-3. There is a lot of
<br>
SSL-Bump redesign that only exists in Squid-4 these days.<br>
<br>
SG should never be sent CONNECT messages anyway - it does not understand
<br>
them, never has AFAIK. So the workaround is simply to enforce that like
so:<br>
<br>
url_redirect_access deny CONNECT<br>
<br>
Squid will then do any relevant bumping and pass SG the decrypted <br>
messages you actually want it to manage.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
<a
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote>
</body>
</html>