[squid-users] peek/splice working with lynx but not with firefox or chrome
Roel van Meer
roel at 1afa.com
Tue Mar 10 13:46:54 UTC 2015
Hi list!
I'm trying to get peek/splice working with intercepted https connections.
The final goal is to accept or reject connections based on the SNI info that
we get from the first peek. So first, I would like to be able to do
peek/splice on all requests, and then later I can use an external acl to
block some of them.
I'm having trouble getting the first step to work. My peek/splice config
works when I use lynx as a browser, but not (well) with firefox or chrome.
The latter two sometimes return a result, but often don't. When this happens
I get diverse errors in the cache log like:
Error negotiating SSL on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
Error negotiating SSL on FD 41: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)
Error negotiating SSL on FD 31: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
The relevant portions of squid.conf:
https_port 192.168.13.1:3130 intercept ssl-bump options=ALL cert=/etc/ssl/certs/server.pem
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump peek step2
ssl_bump splice all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. Traffic
is redirected from port 443 top 3130 with iptables.
Any help would be really appreciated.
Thanks a lot,
Roel
More information about the squid-users
mailing list