<div dir="ltr"><div class="gmail_default" style="font-size:large;color:#000000"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;display:inline;float:none">Hello!</span><div style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I'm facing an issue regarding bypass authentication in some domains. I was following the official wiki<span> </span><a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass" target="_blank" style="color:rgb(17,85,204)">here</a> and it worked, but every HTTPS request (CONNECT method) that belongs to the exception that I've made receives a SSL error (ssl_error_rx_record_too_long). Below, the squid.conf content, squid version and telemetry content.</div><div style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:monospace"><span style="color:rgb(0,0,0)"># squid -v</span><br>Squid Cache: Version 4.6<br>Service Name: squid<br>Debian linux<br>configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info<br>' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--di<br>sable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTI<br>FY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Debian l<br>inux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'<br>'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-i<br>cap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '<br>--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,S<br>QL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=<br>fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdi<br>r=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enabl<br>e-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wfo<br>rmat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gn<br>u-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'<br></span><div><div dir="ltr"><div dir="ltr"><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><span style="font-family:monospace"># cat /etc/squid/squid.conf<br><br>auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN<br>auth_param ntlm children 500<br>auth_param ntlm keep_alive on<br><br>auth_param basic program /usr/lib/squid/basic_ldap_auth -b ou=users,dc=mydomain,dc=com,dc=br -h 10.100.0.1 -p 389 -s sub -v 3 -f "uid=%s"<br>auth_param basic children 1000<br>auth_param basic realm Proxy Server ldap<br>auth_param basic credentialsttl 2 hours<br>auth_param basic casesensitive off<br><br><br>acl CONNECT method CONNECT<br>acl password proxy_auth REQUIRED<br><br><br>acl telemetry dstdomain "/etc/squid/exceptions/telemetry"<br>acl http proto http<br>acl port_443 port 443<br>acl port_80 port 80<br>http_access allow CONNECT port_443 telemetry<br>http_access allow http port_80 telemetry<br><br>http_access allow http port_80 password<br>http_access allow CONNECT port_443 password<br>http_access deny all<br><br>http_port 3128<br><br>acl hasRequest has request<br>access_log syslog:local4.warning squid hasRequest<br><br>visible_hostname<span> </span><a href="http://proxy.mydomain.com.br/" target="_blank" style="color:rgb(17,85,204)">proxy.mydomain.com.br</a><br><br>error_directory /usr/share/squid/errors/pt-br<br><br>cache_peer 127.0.0.1 parent 8080 0 login=*:password no-digest no-netdb-exchange<br>always_direct deny all<br>never_direct allow all<br>max_filedesc 65535<br></span></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><span style="font-family:monospace"># cat /etc/squid/exceptions/telemetry  <br>.<a href="http://data.microsoft.com/" target="_blank" style="color:rgb(17,85,204)">data.microsoft.com</a><br>.<a href="http://telemetry.microsoft.com/" target="_blank" style="color:rgb(17,85,204)">telemetry.microsoft.com</a><br></span></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline">Below, the test accessing<span> </span><a href="https://watson.telemetry.microsoft.com/" target="_blank" style="color:rgb(17,85,204)">https://watson.telemetry.microsoft.com</a><span> </span>with curl:</span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><span style="font-family:monospace">$ curl --proxy<span> </span><a href="http://myserver:3128/" target="_blank" style="color:rgb(17,85,204)">http://myserver:3128</a><span> </span>-vk<span> </span><a href="https://watson.telemetry.microsoft.com/" target="_blank" style="color:rgb(17,85,204)">https://watson.telemetry.microsoft.com/</a><span> </span>         <br>*   Trying 10.100.1.13:3128...<br>* TCP_NODELAY set<br>* Connected to myserver (</span><span style="font-family:monospace">10.100.1.13</span><span style="font-family:monospace">) port 3128 (#0)<br>* allocate connect buffer!<br>* Establish HTTP proxy tunnel to<span> </span><a href="http://watson.telemetry.microsoft.com:443/" target="_blank" style="color:rgb(17,85,204)">watson.telemetry.microsoft.com:443</a><br>> CONNECT<span> </span><a href="http://watson.telemetry.microsoft.com:443/" target="_blank" style="color:rgb(17,85,204)">watson.telemetry.microsoft.com:443</a><span> </span>HTTP/1.1<br>> Host:<span> </span><a href="http://watson.telemetry.microsoft.com:443/" target="_blank" style="color:rgb(17,85,204)">watson.telemetry.microsoft.com:443</a><br>> User-Agent: curl/7.68.0<br>> Proxy-Connection: Keep-Alive<br>>  <br>< HTTP/1.1 200 Connection established<br><  <br>* Proxy replied 200 to CONNECT request<br>* CONNECT phase completed!<br>* ALPN, offering h2<br>* ALPN, offering http/1.1<br>* successfully set certificate verify locations:<br>*   CAfile: /etc/ssl/certs/ca-certificates.crt<br> CApath: /etc/ssl/certs<br>* TLSv1.3 (OUT), TLS handshake, Client hello (1):<br>* CONNECT phase completed!<br>* CONNECT phase completed!<br>* error:1408F10B:SSL routines:ssl3_get_record:wrong version number<br>* Closing connection 0<br>curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number<br></span></span></div><div><br></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline">With browser (Chrome):</span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><br></span></div><div><img src="cid:ii_l2gmrj5w0" alt="image.png" width="493" height="214"><br><br><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:small;float:none;display:inline"><br></span></div><div><font face="arial" color="#000000">Thanks,</font></div></div></div></div></div></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>--<br><span style="font-family:comic sans ms,sans-serif">Renato Carneiro Pacheco</span><div><span style="font-family:"comic sans ms",sans-serif">Security Analyst</span><span style="font-family:comic sans ms,sans-serif"></span><div><br><a href="http://br.linkedin.com/in/renatocarneirop" title="Visualizar perfil público" name="SignatureSanitizer_SafeHtmlFilter_webProfileURL" style="margin:0px;padding:0px;border:0px none;outline:currentcolor none medium;font-size:13px;font-family:Arial,Helvetica,"Nimbus Sans L",sans-serif;vertical-align:baseline;color:rgb(0,102,153);line-height:15px;background-color:rgb(255,255,255)" target="_blank">http://br.linkedin.com/in/renatocarneirop</a></div><div><a href="http://www.facebook.com/renatocarneirop" target="_blank">http://www.facebook.com/renatocarneirop</a><br><br style="font-family:comic sans ms,sans-serif"><i>"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - </i>Osho Rajneesh</div></div></div></div></div></div></div>