[squid-users] Error when using peek/splice/terminate with Squid 3.5.1

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 16 22:17:22 UTC 2015


On 16/02/2015 6:54 p.m., John Killimangalam Jacob wrote:
> Hi All,
> 
> I am trying to configure an intercept proxy with
> peek/splice/terminate features in Squid 3.5.1 on CentOS 7 - 64 bit. I
> wanted to peak at steps 1 and step 2 and to decide on terminate on
> step 3 based on the SNI and server certificate values. It is working
> only for https://www.google.com, but lot of other ssl sites (likes of
> https://www.yahoo.com etc) are not getting loaded logging an " Error
> negotiating SSL on FD 36: error:140920E3:SSL
> routines:SSL3_GET_SERVER_HELLO:parse tlsext  "  in the cache.log
> (trying the same sites using openssl s_client command works). I was
> wondering if it has to do anything with my config or open ssl
> (version 1.0.1e) or anything else. The web sites are being accessed
> from a windows 7 workstation with IE 8 and Firefox 35.0.1 . Below is
> the squid.config section for peek and splice I am using.
> 

Your config looks fine to me. The complaints seem to be about peek on
the server TLS-extensions values havign something unknown in them.

There is a bug winding its way through QA right now to fix interaction
of peek/stare ons erver connections with sslproxy_options setting.
The workaround is to not set sslproxy_options for now.


I dont think OpenSSL version is related (maybe, maybe not) but do try to
use the latest OpenSSL version you can just because of security
vulnerabilities and bug fixes found in it over the last few months.

Also, there are SNI fixes in the latest 3.5.1 snapshot you will be needing.


PS. You may want to seriously consider removing that disclaimer from
public posts, particularly when discussing the legally borderline topic
of SSL-bump.

Amos



More information about the squid-users mailing list