<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>OK so the issue was that:<o:p></o:p></p><p class=MsoNormal>The http_port was used for ssl bump with intercept while the only port which can really intercept ssl connections is:<o:p></o:p></p><p class=MsoNormal>https_port<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>so I believe that there should be a warning about such a line in the cache log.<o:p></o:p></p><p class=MsoNormal>When there is http_port and intercept and ssl_bump there should be a warning.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Eliezer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> NgTech LTD <ngtech1ltd@gmail.com> <br><b>Sent:</b> Monday, August 19, 2024 10:48 AM<br><b>To:</b> Squid Users <squid-users@lists.squid-cache.org><br><b>Subject:</b> Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I am testing Squid 6.10 on Fedora 40 (their package).<br>And it seems that Squid is unable to bump clients (ESNI/ECH)?<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I had couple iterations of pek stare and bump and I am not sure what is the reason for that:<br>shutdown_lifetime 3 seconds<br>external_acl_type whitelist-lookup-helper ipv4 ttl=10 children-max=10 children-startup=2 \<br> children-idle=2 concurrency=10 %URI %SRC /usr/local/bin/squid-conf-url-lookup.rb<br>acl whitelist-lookup external whitelist-lookup-helper<br>acl ytmethods method POST GET<br>acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://100.64.0.0/10">100.64.0.0/10</a> # RFC 6598 shared address space (CGN)<br>acl localnet src <a href="http://169.254.0.0/16">169.254.0.0/16</a> # RFC 3927 link-local (directly plugged) machines<br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC 1918 local private network (LAN)<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>http_access allow localhost<br>http_access deny to_localhost<br>http_access deny to_linklocal<br>acl tubedoms dstdomain .<a href="http://ytimg.com">ytimg.com</a> .<a href="http://youtube.com">youtube.com</a> .<a href="http://youtu.be">youtu.be</a><br>http_access allow ytmethods localnet tubedoms whitelist-lookup<br>http_access allow localnet<br>http_access deny all<br>http_port 3128<br>http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \<br> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB<br>sslcrtd_children 5<br>acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG<br>acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT<br>on_unsupported_protocol tunnel foreignProtocol<br>on_unsupported_protocol tunnel serverTalksFirstProtocol<br>on_unsupported_protocol respond all<br>acl monitoredSites ssl::server_name .<a href="http://youtube.com">youtube.com</a> .<a href="http://ytimg.com">ytimg.com</a><br>acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com \.ytimg\.com<br>acl serverIsBank ssl::server_name .<a href="http://visa.com">visa.com</a><br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br>ssl_bump bump all<br>strip_query_terms off<br>coredump_dir /var/spool/squid<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br>logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni<br>access_log daemon:/var/log/squid/access.log ssl_custom_format<br>##EOF<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>access.log from before:<br>1724028804.797 486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT <a href="http://40.126.31.73:443">40.126.31.73:443</a> - ORIGINAL_DST/<a href="http://40.126.31.73">40.126.31.73</a> - -<br>1724028805.413 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.028 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.028 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.029 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.030 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.085 57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT <a href="http://104.18.72.113:443">104.18.72.113:443</a> - ORIGINAL_DST/<a href="http://104.18.72.113">104.18.72.113</a> - -<br>1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT <a href="http://104.18.72.113:443">104.18.72.113:443</a> - ORIGINAL_DST/<a href="http://104.18.72.113">104.18.72.113</a> - -<br>1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT <a href="http://104.18.72.113:443">104.18.72.113:443</a> - ORIGINAL_DST/<a href="http://104.18.72.113">104.18.72.113</a> - -<br>1724028806.208 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.213 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.338 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.469 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028806.596 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028807.006 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028807.262 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028808.922 5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT <a href="http://13.107.246.60:443">13.107.246.60:443</a> - ORIGINAL_DST/<a href="http://13.107.246.60">13.107.246.60</a> - -<br>1724028812.906 8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT <a href="http://104.126.37.171:443">104.126.37.171:443</a> - ORIGINAL_DST/<a href="http://104.126.37.171">104.126.37.171</a> - -<br>1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT <a href="http://142.250.186.34:443">142.250.186.34:443</a> - ORIGINAL_DST/<a href="http://142.250.186.34">142.250.186.34</a> - -<br>1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT <a href="http://142.250.184.246:443">142.250.184.246:443</a> - ORIGINAL_DST/<a href="http://142.250.184.246">142.250.184.246</a> - -<br>1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT <a href="http://216.58.206.65:443">216.58.206.65:443</a> - ORIGINAL_DST/<a href="http://216.58.206.65">216.58.206.65</a> - -<br>1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT <a href="http://142.250.181.227:443">142.250.181.227:443</a> - ORIGINAL_DST/<a href="http://142.250.181.227">142.250.181.227</a> - -<br>1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT <a href="http://172.217.16.196:443">172.217.16.196:443</a> - ORIGINAL_DST/<a href="http://172.217.16.196">172.217.16.196</a> - -<br>1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT <a href="http://142.250.185.238:443">142.250.185.238:443</a> - ORIGINAL_DST/<a href="http://142.250.185.238">142.250.185.238</a> - -<br>1724028830.336 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028830.781 444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT <a href="http://40.126.31.73:443">40.126.31.73:443</a> - ORIGINAL_DST/<a href="http://40.126.31.73">40.126.31.73</a> - -<br>1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT <a href="http://13.107.6.158:443">13.107.6.158:443</a> - ORIGINAL_DST/<a href="http://13.107.6.158">13.107.6.158</a> - -<br>1724028849.443 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028849.698 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028865.261 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028865.779 517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT <a href="http://40.126.31.73:443">40.126.31.73:443</a> - ORIGINAL_DST/<a href="http://40.126.31.73">40.126.31.73</a> - -<br>1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT <a href="http://20.42.65.94:443">20.42.65.94:443</a> - ORIGINAL_DST/<a href="http://20.42.65.94">20.42.65.94</a> - -<br>1724028871.179 64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT <a href="http://104.18.10.207:443">104.18.10.207:443</a> - ORIGINAL_DST/<a href="http://104.18.10.207">104.18.10.207</a> - -<br>1724028871.179 63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT <a href="http://142.250.186.99:443">142.250.186.99:443</a> - ORIGINAL_DST/<a href="http://142.250.186.99">142.250.186.99</a> - -<br>1724028871.179 64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT <a href="http://142.250.185.170:443">142.250.185.170:443</a> - ORIGINAL_DST/<a href="http://142.250.185.170">142.250.185.170</a> - -<br>1724028871.308 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028871.731 422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT <a href="http://40.126.31.73:443">40.126.31.73:443</a> - ORIGINAL_DST/<a href="http://40.126.31.73">40.126.31.73</a> - -<br>1724028872.486 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028873.477 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028873.745 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028873.902 424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT <a href="http://40.126.31.73:443">40.126.31.73:443</a> - ORIGINAL_DST/<a href="http://40.126.31.73">40.126.31.73</a> - -<br>1724028877.056 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028877.060 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028877.060 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028877.060 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT <a href="http://142.250.186.78:443">142.250.186.78:443</a> - ORIGINAL_DST/<a href="http://142.250.186.78">142.250.186.78</a> - -<br>1724028878.800 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028878.920 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028879.072 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028880.808 7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT <a href="http://104.126.37.145:443">104.126.37.145:443</a> - ORIGINAL_DST/<a href="http://104.126.37.145">104.126.37.145</a> - -<br>1724028882.468 33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT <a href="http://49.12.59.2:443">49.12.59.2:443</a> - ORIGINAL_DST/<a href="http://49.12.59.2">49.12.59.2</a> - -<br>1724028883.728 6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT <a href="http://52.216.185.251:443">52.216.185.251:443</a> - ORIGINAL_DST/<a href="http://52.216.185.251">52.216.185.251</a> - -<br>1724028883.789 6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT <a href="http://52.216.185.251:443">52.216.185.251:443</a> - ORIGINAL_DST/<a href="http://52.216.185.251">52.216.185.251</a> - -<br>1724028883.797 6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT <a href="http://52.216.185.251:443">52.216.185.251:443</a> - ORIGINAL_DST/<a href="http://52.216.185.251">52.216.185.251</a> - -<br>1724028883.845 6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT <a href="http://52.216.185.251:443">52.216.185.251:443</a> - ORIGINAL_DST/<a href="http://52.216.185.251">52.216.185.251</a> - -<br>1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT <a href="http://185.199.108.153:443">185.199.108.153:443</a> - ORIGINAL_DST/<a href="http://185.199.108.153">185.199.108.153</a> - -<br>1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT <a href="http://104.126.37.161:443">104.126.37.161:443</a> - ORIGINAL_DST/<a href="http://104.126.37.161">104.126.37.161</a> - -<br>1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT <a href="http://23.37.37.211:443">23.37.37.211:443</a> - ORIGINAL_DST/<a href="http://23.37.37.211">23.37.37.211</a> - -<br>1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT <a href="http://2.18.140.238:443">2.18.140.238:443</a> - ORIGINAL_DST/<a href="http://2.18.140.238">2.18.140.238</a> - -<br>1724028891.212 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028891.365 152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT <a href="http://142.250.185.138:443">142.250.185.138:443</a> - ORIGINAL_DST/<a href="http://142.250.185.138">142.250.185.138</a> - -<br>1724028893.885 90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT <a href="http://13.107.246.60:443">13.107.246.60:443</a> - ORIGINAL_DST/<a href="http://13.107.246.60">13.107.246.60</a> - -<br>1724028900.169 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -<br>1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT <a href="http://52.123.243.197:443">52.123.243.197:443</a> - ORIGINAL_DST/<a href="http://52.123.243.197">52.123.243.197</a> - -<br>1724028960.494 60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT <a href="http://172.217.16.206:443">172.217.16.206:443</a> - ORIGINAL_DST/<a href="http://172.217.16.206">172.217.16.206</a> - -<br>1724028960.494 0 192.168.78.15 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - -<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks for any help,<o:p></o:p></p></div><div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal>----<br>Eliezer Croitoru<br>Tech Support<br>Mobile: +972-5-28704261<br>Email: <a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a><o:p></o:p></p></div></div></div></div></div></div></body></html>