[squid-users] peek/splice working with lynx but not with firefox or chrome [SOLVED]

john jacob john.kj1984 at gmail.com
Fri Mar 13 14:40:35 UTC 2015


Hi,

I am also having similar environment with squid (version 3.5.2
-20150218-r13758) and openssl 1.0.1k, but for me only small number of https
sites are working with peek and splice. For eg:- , I can access
https://www.google.com but not https://ssllabs.com and lot of other https
domains, giving "Error negotiating SSL on FD 15: error:140920E3:SSL
routines:SSL3_GET_SERVER_HELLO:parse tlsext (1/-1/0) " in the cache.log
file.

Also I could see a bunch of other error messages in the cache.log files
relating to openssl (like "Error negotiating SSL on FD 21:
error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)" ,
"Error verifying certificates " etc)  when tried to access sites like
https://www.facebook.com, https://www.yahoo.com etc

Squid is running on a CentOS 7 x64 box and Workstation is Win7 with Firefox
and Chrome. I tried configuring openssl with disabling certain options with
no-nextprotoneg  and no-ec as well as with recent openssl version1.0.2 ,
but without any success.

Below is my squid config file.

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

ssl_bump peek all
ssl_bump splice all

# Squid normally listens to port 3128
http_port <WAN Interface IP>:3128
http_port <WAN Interface IP>:3129 intercept
https_port <WAN Interface IP>:3130 intercept ssl-bump
cert=/tmp/sslcertificates/server.cert.pem
key=/tmp/sslcertificates/server.key.pem

Does this has to do anything specific to my environment or the config
options? Any help on this is highly appreciated.

Thanks in advance,
John

On Tue, Mar 10, 2015 at 10:42 PM, Roel van Meer <roel at 1afa.com> wrote:

> Roel van Meer writes:
>
>  >> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.
>>> >> > Traffic is redirected from port 443 top 3130 with iptables.
>>> >>
>>> >> ... and with an older version of OpenSSL missing many of the last few
>>> >> years worth of TLS crypto features. IIRC the library releases are now
>>> up
>>> >> to 1.1.* or something. Its best to keep that kind of thing operating
>>> the
>>> >> latest versions.
>>> >
>>> > I know it missing the latest features, but security patches are
>>> > backported. And I know it is old, but it's what I have to work with
>>> > now.Do you think it might be the cause of the problem I'm having with
>>> > peek/splice, or was it a general recommendation?
>>>
>>> Its a potential source of problems. Chrome is very much on the front
>>> line of the arms race attempting to stop things like SSL-Bump working.
>>> Firefox implement their own crypto library which tracks the latest TLS
>>> features at a similar speed of development.
>>> OpenSSL will be perpetually behind both of them, but at least the latest
>>> one(s) have better chances not to be advertising features they reject in
>>> "considered harmful" grounds.
>>>
>>
>> I'll have a go then at trying with a newer openssl and the patches from
>> thethread you mentioned.
>>
>
> With Squid 3.5.2 built with openssl 1.0.1k I can splice https connections
> with no trouble. Tested with Lync, Chrome, Firefox, and IE.
>
> So you were right. :) Thanks a lot for pointing me in the right direction!
>
> Cheers,
>
> Roel
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150313/2da60887/attachment.html>


More information about the squid-users mailing list