[squid-users] SSL bumping without faked server certificates
Alex Rousskov
rousskov at measurement-factory.com
Sat Nov 14 22:52:43 UTC 2015
On 11/14/2015 12:42 PM, Stefan Kutzke wrote:
> I have built a RPM package with latest 3.5.11 source based
> on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
> Squid is configured with SSL bump similar to the configuration suggested
> by Sebastian.
...
> 2015/11/10 19:24:30.181 kid1| 33,5|...
> 2015/11/10 19:25:30.016 kid1| 33,3| AsyncCall.cc(93) ScheduleCall:
> IoCallback.cc(135) will call
> ConnStateData::clientPinnedConnectionRead(local=172.31.1.15:49421
> remote=212.45.105.89:443 FD 15 flags=1, flag=-10, data=0x19ced08)
> [call349]
This one second gap after a successful SSL negotiation with the origin
server is rather suspicious, but I am going to ignore it, go out on a
limb, and speculate that you might be suffering from the "Handshake
Problem during Renegotiation" bug that we recently fixed. I do not think
the fix has made it into v3.5 branch yet, but you can get our v3.5 patch
here:
http://lists.squid-cache.org/pipermail/squid-dev/2015-November/003700.html
If that fix does not help, I recommend the following:
1. Reproduce the same bug with debug_options set to ALL,9.
2. File a new bug report in Squid bugzilla and post [compressed]
cache.log or a link to that log there. You may also post here, but it is
easier to track progress in bugzilla.
Thank you,
Alex.
More information about the squid-users
mailing list