[squid-users] Error when using peek/splice/terminate with Squid 3.5.1

john jacob john.kj1984 at gmail.com
Fri Mar 20 11:04:30 UTC 2015 

Also this issue is no more appearing if I peek step 1 alone and splice
the remaining ones.

acl step1 at_step  SslBump1
acl step2 at_step  SslBump2
acl step3 at_step  SslBump3


ssl_bump peek step1 all
ssl_bump splice all

So I guess the issue is with the PeerConnector module where
SSL_connect method is being used to connect and parse the server
certificate.


I had added this as a bug as well.

http://bugs.squid-cache.org/show_bug.cgi?id=4202

Regards,
John





*From:* John Killimangalam Jacob
*Sent:* Monday, February 16, 2015 11:25 AM
*To:* 'squid-users at lists.squid-cache.org'
*Subject:* Error when using peek/splice/terminate with Squid 3.5.1



Hi All,



I am trying to configure an intercept proxy with peek/splice/terminate
features in Squid 3.5.1 on CentOS 7 - 64 bit. I wanted to peak at steps 1
and step 2 and to decide on terminate on step 3 based on the SNI and server
certificate values. It is working only for https://www.google.com, but lot
of other ssl sites (likes of https://www.yahoo.com etc) are not getting
loaded logging an “ *Error negotiating SSL on FD 36: error:140920E3:SSL
routines:SSL3_GET_SERVER_HELLO:parse tlsext  *“  in the cache.log (trying
the same sites using openssl s_client command works). I was wondering if it
has to do anything with my config or open ssl (version 1.0.1e) or anything
else. The web sites are being accessed from a windows 7 workstation with IE
8 and Firefox 35.0.1 . Below is the squid.config section for peek and
splice I am using.



*acl step1 at_step  SslBump1*

*acl step2 at_step  SslBump2*

*acl step3 at_step  SslBump3*



*external_acl_type SSL_URL_Filter %SRC %ssl::>sni %ssl::<cert_subject
</path/to/urlfilterscript>*

*acl URL_Allowed external SSL_URL_Filter*



*ssl_bump peek step1 all*

*ssl_bump peek step2 all *

*ssl_bump terminate step3 !URL_Allowed*

*ssl_bump splice step3 all*



*# Squid normally listens to port 3128*

*http_port 3128*

*http_port 3129 intercept*

*https_port 3130 intercept ssl-bump
cert=/tmp/sslcertificates/server.cert.pem
key=/tmp/sslcertificates/server.key.pem*



Thanks in Advance,

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150320/6f4a8594/attachment.html>

More information about the squid-users mailing list