[squid-users] sslproxyflags DONT_VERIFY_PEER
Stanford Prescott
stan.prescott at gmail.com
Wed Aug 3 23:51:41 UTC 2016
Okay, it's not a name of the cert problem.
I turned on extra debug info to see what I get when I remove the
DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is
what I got in the cache.log. I only see a couple of lines about a
certificate error. Sorry this is long but I didn't know what to include so
I just included everything for that one access attempt.
*2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
query ARP table*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
query ARP on each interface (128 found)*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface lo*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth2*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth2*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth1*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth1*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got
address 08:00:27:29:24:4a on eth1*
*2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
*2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
localhostgreen*
*2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]>
(10.40.40.110:49732 <http://10.40.40.110:49732>) vs
10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
*2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' NOT found*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
localhostgreen = 0*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 1*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
<http://10.40.40.110:49732/[:>:] ([::]:49732) vs [::]-[::]/[::]*
*2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909)
httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443
<http://52.34.245.108:443> remote=10.40.40.110:49732
<http://10.40.40.110:49732> FD 14 flags=33 method 3*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
checking slow rules*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
http_access*
*2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
http_access#1*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
SWE_subnets*
*2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:49732 <http://10.40.40.0:49732>) vs
192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:49732 <http://10.40.40.0:49732>) vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:49732 <http://10.40.40.0:49732>) vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
SWE_subnets = 1*
*2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1*
*2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1*
*2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished:
0xa214d28 answer ALLOWED for match*
*2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0 is banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 0*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/6is not banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_to_splice*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_allowed_hsts*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:tiles.services.mozilla.com
<http://tiles.services.mozilla.com> <> .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <> .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_allowed_hsts = 0*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_server_is_bank*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:tiles.services.mozilla.com
<http://tiles.services.mozilla.com> <> .wellsfargo.com
<http://wellsfargo.com>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <> .wellsfargo.com
<http://wellsfargo.com>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_server_is_bank = 0*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_to_splice = 0*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/4is not banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
<http://10.40.40.110:49732/[:>:] ([::]:49732) vs [::]-[::]/[::]*
*2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
*2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
*2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking fast rules*
*2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck:
aclCheckFast: list: 0x9de0a80*
*2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error*
*2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'DENIED/0is not banned*
*2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error#1*
*2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
<http://10.40.40.110:49732/[:>:] ([::]:49732) vs [::]-[::]/[::]*
*2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error#1 = 1*
*2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error = 1*
*2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer DENIED for match*
*2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)*
*2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68
checking fast ACLs*
*2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950b68 answer ALLOWED for match*
*2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
*2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
*2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong:
local=52.34.245.108:443 <http://52.34.245.108:443>
remote=10.40.40.110:49732 <http://10.40.40.110:49732> flags=33*
*2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28
checking fast ACLs*
*2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950c28 answer ALLOWED for match*
*2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
*2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
*2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
query ARP table*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
query ARP on each interface (128 found)*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface lo*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth2*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth2*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth1*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth1*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got
address 08:00:27:29:24:4a on eth1*
*2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
*2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
*2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
http_access*
*2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
http_access#1*
*2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
SWE_subnets*
*2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:40595 <http://10.40.40.0:40595>) vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:40595 <http://10.40.40.110:40595>' found*
*2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
SWE_subnets = 1*
*2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1*
*2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1*
*2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950198*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc*
*2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc*
*2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8
checking fast ACLs*
*2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950ae8 answer ALLOWED for match*
*2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8*
*2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638
query ARP table*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638
query ARP on each interface (128 found)*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
found interface lo*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
found interface eth2*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
looking up ARP address for 10.40.40.110 on eth2*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
found interface eth1*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
looking up ARP address for 10.40.40.110 on eth1*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638 got
address 08:00:27:29:24:4a on eth1*
*2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
*2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
*2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
localhostgreen*
*2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
<http://10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]>
(10.40.40.110:35474 <http://10.40.40.110:35474>) vs
10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
*2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' NOT found*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
localhostgreen = 0*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 1*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
<http://10.40.40.110:35474/[:>:] ([::]:35474) vs [::]-[::]/[::]*
*2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909)
httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443
<http://98.138.253.109:443> remote=10.40.40.110:35474
<http://10.40.40.110:35474> FD 18 flags=33 method 3*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
checking slow rules*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
http_access*
*2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
http_access#1*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
SWE_subnets*
*2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:35474 <http://10.40.40.0:35474>) vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
SWE_subnets = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
0xa214d28 answer ALLOWED for match*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0 is banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 0*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/6is not banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_to_splice*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_allowed_hsts*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'www.yahoo.com <http://www.yahoo.com>'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
.akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
'www.yahoo.com <http://www.yahoo.com>' NOT found*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <> .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_allowed_hsts = 0*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_server_is_bank*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'www.yahoo.com <http://www.yahoo.com>'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
.wellsfargo.com <http://wellsfargo.com>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
'www.yahoo.com <http://www.yahoo.com>' NOT found*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <> .wellsfargo.com
<http://wellsfargo.com>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_server_is_bank = 0*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_to_splice = 0*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/4is not banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
<http://10.40.40.110:35474/[:>:] ([::]:35474) vs [::]-[::]/[::]*
*2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
*2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
*2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking fast rules*
*2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck:
aclCheckFast: list: 0x9de0a80*
*2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error*
*2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'DENIED/0is not banned*
*2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error#1*
*2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
<http://10.40.40.110:35474/[:>:] ([::]:35474) vs [::]-[::]/[::]*
*2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error#1 = 1*
*2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error = 1*
*2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer DENIED for match*
*2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)*
*2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68
checking fast ACLs*
*2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950b68 answer ALLOWED for match*
*2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
*2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
*2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong:
local=98.138.253.109:443 <http://98.138.253.109:443>
remote=10.40.40.110:35474 <http://10.40.40.110:35474> flags=33*
*2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28
checking fast ACLs*
*2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950c28 answer ALLOWED for match*
*2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
*2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
*2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
The web browser error says:
"Failed to establish a secure connection to (a yahoo.com IP address was
here)"
and another message of "(71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
and "Certificate issuer (CA) not known".
On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <stan.prescott at gmail.com>
wrote:
> Thanks for the info, Alex. That's very helpful about cleaning up my ACLs.
> Those ACLs are a collection of ACLs that others have suggested I use, but
> it would be nice to make them less confusing for me.
>
> With my limited understanding of how sslbump works, the idea for squid to
> play MITM is that a self-signed cert like squidCA.der is imported to a
> browser's root CAs. I have left a copy of the self-signed cert named
> squidCA.pem in the squid's cert directory which only works if squid is told
> to not verify the peer. When following the instructions how to generate the
> self-signed cert with openssl, the .pem file must be converted to a .der
> file for the browser to accept it. It just dawned on me that, could this be
> related to the fact that the squid self-signed certs are not named the same?
>
> On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <
> rousskov at measurement-factory.com> wrote:
>
>> On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>>
>> > ssl_bump none localhostgreen
>> > ssl_bump peek tls_s1_connect all
>> > ssl_bump splice tls_s2_client_hello tls_to_splice
>> > ssl_bump stare tls_s2_client_hello all
>> > ssl_bump bump tls_s3_server_hello all
>>
>> AFAICT, the above is too complex. You can simplify it with:
>>
>> ssl_bump splice localhostgreen
>> ssl_bump peek tls_s1_connect
>> ssl_bump splice tls_to_splice
>> ssl_bump stare all
>> ssl_bump bump all
>>
>> and, after polishing your ACLs a little, possibly even with:
>>
>> ssl_bump splice transactions_to_splice
>> ssl_bump peek tls_s1_connect
>> ssl_bump stare all
>> ssl_bump bump all
>>
>> where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
>> and tls_to_splice)".
>>
>>
>> As for your original question, I recommend figuring out why Squid cannot
>> verify the peer. For example, your setup might be missing fresh
>> certificates for some well-known Root CAs. I do not know a good way to
>> figure out why peer verification does not work, but analyzing cache.log
>> with high-enough debugging level should be doable, especially if you can
>> reproduce the problem using a single transaction:
>>
>>
>> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160803/5875f69a/attachment-0001.html>
More information about the squid-users
mailing list