[squid-users] SSL bumping without faked server certificates

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 15 01:23:06 UTC 2015


On 15/11/2015 11:52 a.m., Alex Rousskov wrote:
> On 11/14/2015 12:42 PM, Stefan Kutzke wrote:
> 
>> I have built a RPM package with latest 3.5.11 source based
>> on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
>> Squid is configured with SSL bump similar to the configuration suggested
>> by Sebastian.
> 
> ...
> 
>> 2015/11/10 19:24:30.181 kid1| 33,5|...
>> 2015/11/10 19:25:30.016 kid1| 33,3| AsyncCall.cc(93) ScheduleCall:
>> IoCallback.cc(135) will call
>> ConnStateData::clientPinnedConnectionRead(local=172.31.1.15:49421
>> remote=212.45.105.89:443 FD 15 flags=1, flag=-10, data=0x19ced08)
>> [call349]
> 
> 
> This one second gap after a successful SSL negotiation with the origin
> server is rather suspicious, but I am going to ignore it, go out on a
> limb, and speculate that you might be suffering from the "Handshake
> Problem during Renegotiation" bug that we recently fixed. I do not think
> the fix has made it into v3.5 branch yet, but you can get our v3.5 patch
> here:
> 
> http://lists.squid-cache.org/pipermail/squid-dev/2015-November/003700.html
> 

FYI: I've just done the backport. It will be in snapshot r13951 or later
which should be available in 6-12hrs.

Amos



More information about the squid-users mailing list