<html><head></head><body bgcolor="#ffffff" text="#4c4c4c" link="#8793c1" vlink="#8793c1"><div>On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:</div><blockquote type="cite"><pre>On 25/11/17 08:30, James Lay wrote:
<blockquote type="cite">
Topic says it...this setup has been working well for a long time, but
now there are some sites that are failing the TLS handshake. Here's my
setup:
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow allowed_http_sites
http_access deny all
ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
</blockquote>
Because you have "peek all" being performed the transaction MUST pass
your regex patterns with both TLS SNI from the client *and* the server
certificate SubjectName values. Either one not matching will perform
that "terminate all" on the TLS handshake.
</pre></blockquote><div><br></div><div>Thanks Amos...do you have a suggestion for changing this to match one or the other instead of both?</div><div><br></div><div>James</div><div><br></div><blockquote type="cite"><pre>
<blockquote type="cite">
sslproxy_cert_error allow all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER
#sslproxy_options ALL
</blockquote>
Also, please remove these "*_error allow all" and DONT_VERIFY_PEER lines
from your config. They are actively harmful.
<blockquote type="cite">
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5
http_port 3128 intercept
https_port 3129 intercept ssl-bump
cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
key=/opt/etc/squid/certs/sslsplit_ca_key.pem
</blockquote>
NP: when cert= and key= are in the same file you do not need to specify
key=.
<blockquote type="cite">
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
</blockquote>
It is also best to add "sslflags=NO_DEFAULT_CA" to these ports for
Squid-3. That will save a lot of useless memory overheads.
<blockquote type="cite">
logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
%ssl::>cert_subject %>Hs %<st %Ss:%Sh
</blockquote>
...
<blockquote type="cite">
For example, the file http_url.txt contains:
account\.elderscrollsonline\.com
\.elderscrollsonline\.com
elderscrollsonline\.com
After doing some reading it looks like this is http2 traffic:
<a href="https://wiki.squid-cache.org/Features/HTTP2">https://wiki.squid-cache.org/Features/HTTP2</a>.
</blockquote>
There is no sign of HTTP/2 in that PCAP trace. There is SPDY/3 and
HTTP/1.1 being offered by the client.
If that is from the client to Squid, then please check the matching
Squid->server for what is going on there.
If the problem remains please try Squid-4. It has more advanced TLS
capabilities than Squid-3.
Amos
_______________________________________________
squid-users mailing list
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre></blockquote></body></html>