[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Wed Sep 16 15:51:13 UTC 2015

On 17/09/2015 3:16 a.m., Dieter Bloms wrote:
> Hello Antony,
> 
> 
> On Wed, Sep 16, Antony Stone wrote:
> 
>> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
>>
>>> I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
>>> accessible via HTTPS and sslbump enable.
>>> But I can't get any access to the destination
>>> https://banking.postbank.de, which is accessible with 3.4.13.
>>> I use the same config for both squid versions.
>>
>> 1. What is that configuration (squid.conf without comments or blank lines, 
>> please)?
> 
> the relevant part ist:
> 
> --snip--
> acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
> http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem

Replace these...

> ssl_bump none nodecryptdomains
> ssl_bump server-first all

... with:

 acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains"
 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice nodecrypt
 ssl_bump bump all

Maybe also remove the nodecryptdomains ACL. Depends on whether you use
it anywhere else.

> sslproxy_capath /etc/ssl/certs
> sslproxy_options NO_SSLv2:NO_SSLv3:ALL
> sslproxy_cipher  ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
> sslproxy_cert_error deny all
> --snip--
> 
> the destination banking.postbank.de is not listed in the /etc/squid/nodecrypt.domains file
> 
> with squid-3.4.13 the logs look like:
> 
> --snip--
> 1442410263.639     23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET https://banking.postbank.de/rai/rai/image/pb-logo.png - HIER_DIRECT/62.153.105.15 image/png
> 1442410263.737     20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - HIER_DIRECT/62.153.105.15 image/png
> 1442410263.738     20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET https://banking.postbank.de/rai/rai/css/image/fld-input.png - HIER_DIRECT/62.153.105.15 image/png
> 1442410263.739     22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - HIER_DIRECT/62.153.105.15 image/png
> 1442410263.751     33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - HIER_DIRECT/62.153.105.15 application/x-font-woff
> 1442410263.822     22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - HIER_DIRECT/62.153.105.15 image/png
> 1442410263.823     23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET https://banking.postbank.de/rai/rai/css/image/action-links.png - HIER_DIRECT/62.153.105.15 image/png
> --snip--
> 
> with squid 3.5.8 the logs look like:
> 
> --snip--
> 1442410295.266     32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410295.297     28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410295.328     29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410300.379     43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410300.420     39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410300.460     38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410300.500     37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410330.548     39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410330.590     39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442410330.629     36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> --snip--

This is the CONNECT request which was made prior to the ssl_bump rules
being checked. 3.5 will log this regardless of bumping (or not). The
absence of "TCP_TUNNEL" means the bumping did happen.

Amos