[squid-users] sslproxyflags DONT_VERIFY_PEER
Bruce Rosenberg
bruce.rosenberg.au at gmail.com
Thu Aug 4 01:05:08 UTC 2016
It looks like you are missing the Verisign Class 3 Public Primary Root cert.
Notice the certificate chain list below.
Yahoo correctly send back all intermediate certificates in the TLS
handshake so the only certificate you need to make sure squid trusts (via
openssl) is the Verisign root.
You should be able to determine if the openssl client on the squid proxy
can verify the complete chain by running the following command on the proxy.
The important part is that at each step it outputs "verify return: 1"
meaning that the certificate at that depth in the chain was successfully
verified by it's issuing certificate i.e. the certificate at the previous
higher level depth that we have already established we trust.
The root certificate is automagically verified by virtue of being
explicitly trusted by your openssl.
$ openssl s_client -connect www.yahoo.com:443 </dev/null
⏎
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN =
Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., OU =
Information Technology, CN = www.yahoo.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information
Technology/CN=www.yahoo.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
On Thu, Aug 4, 2016 at 9:51 AM, Stanford Prescott <stan.prescott at gmail.com>
wrote:
> Okay, it's not a name of the cert problem.
>
> I turned on extra debug info to see what I get when I remove the
> DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is
> what I got in the cache.log. I only see a couple of lines about a
> certificate error. Sorry this is long but I didn't know what to include so
> I just included everything for that one access attempt.
>
> *2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
> query ARP table*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
> query ARP on each interface (128 found)*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
> found interface lo*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
> found interface eth2*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
> looking up ARP address for 10.40.40.110 on eth2*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
> found interface eth1*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
> looking up ARP address for 10.40.40.110 on eth1*
> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0
> got address 08:00:27:29:24:4a on eth1*
> *2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
> *2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking slow rules*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rules)*
> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0is not banned*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> localhostgreen*
> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D>
> (10.40.40.110:49732 <http://10.40.40.110:49732>) vs
> 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
> *2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:49732 <http://10.40.40.110:49732>' NOT found*
> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
> localhostgreen = 0*
> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 0*
> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/3is not banned*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s1_connect*
> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s1_connect = 1*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all*
> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
> <http://10.40.40.110:49732/%5B:>:] ([::]:49732) vs [::]-[::]/[::]*
> *2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 1*
> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rules) = 1*
> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer ALLOWED for match*
> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
> *2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909)
> httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443
> <http://52.34.245.108:443> remote=10.40.40.110:49732
> <http://10.40.40.110:49732> FD 14 flags=33 method 3*
> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
> checking slow rules*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> http_access*
> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0is not banned*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> http_access#1*
> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
> SWE_subnets*
> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
> (10.40.40.0:49732 <http://10.40.40.0:49732>) vs
> 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
> *2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
> (10.40.40.0:49732 <http://10.40.40.0:49732>) vs
> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
> *2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
> (10.40.40.0:49732 <http://10.40.40.0:49732>) vs
> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
> *2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
> SWE_subnets = 1*
> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#1 = 1*
> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = 1*
> *2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa214d28 answer ALLOWED for match*
> *2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking slow rules*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rules)*
> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0 is banned*
> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/3is not banned*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s1_connect*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s1_connect = 0*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 0*
> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/6is not banned*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s2_client_hello*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s2_client_hello = 1*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> tls_to_splice*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> tls_allowed_hsts*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:tiles.services.mozilla.com
> <http://tiles.services.mozilla.com> <> .akamaihd.net <http://akamaihd.net>*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'*
> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:none <> .akamaihd.net <http://akamaihd.net>*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> found*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_allowed_hsts = 0*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> tls_server_is_bank*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:tiles.services.mozilla.com
> <http://tiles.services.mozilla.com> <> .wellsfargo.com
> <http://wellsfargo.com>*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'*
> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:none <> .wellsfargo.com
> <http://wellsfargo.com>*
> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> found*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_server_is_bank = 0*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_to_splice = 0*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 0*
> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/4is not banned*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s2_client_hello*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s2_client_hello = 1*
> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all*
> *2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
> <http://10.40.40.110:49732/%5B:>:] ([::]:49732) vs [::]-[::]/[::]*
> *2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 1*
> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rules) = 1*
> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer ALLOWED for match*
> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
> *2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
> *2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
> *2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
> *2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking fast rules*
> *2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck:
> aclCheckFast: list: 0x9de0a80*
> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
> sslproxy_cert_error*
> *2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'DENIED/0is not banned*
> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
> sslproxy_cert_error#1*
> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all*
> *2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
> <http://10.40.40.110:49732/%5B:>:] ([::]:49732) vs [::]-[::]/[::]*
> *2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
> sslproxy_cert_error#1 = 1*
> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
> sslproxy_cert_error = 1*
> *2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer DENIED for match*
> *2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed (1/-1/0)*
> *2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68
> checking fast ACLs*
> *2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log stdio:/var/log/squid/access.log*
> *2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log stdio:/var/log/squid/access.log line)*
> *2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
> *2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log stdio:/var/log/squid/access.log = 1*
> *2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xbf950b68 answer ALLOWED for match*
> *2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
> *2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
> *2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong:
> local=52.34.245.108:443 <http://52.34.245.108:443>
> remote=10.40.40.110:49732 <http://10.40.40.110:49732> flags=33*
> *2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28
> checking fast ACLs*
> *2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log stdio:/var/log/squid/access.log*
> *2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log stdio:/var/log/squid/access.log line)*
> *2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
> *2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log stdio:/var/log/squid/access.log = 1*
> *2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xbf950c28 answer ALLOWED for match*
> *2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
> *2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
> *2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
> query ARP table*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
> query ARP on each interface (128 found)*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
> found interface lo*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
> found interface eth2*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
> looking up ARP address for 10.40.40.110 on eth2*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
> found interface eth1*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
> looking up ARP address for 10.40.40.110 on eth1*
> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0
> got address 08:00:27:29:24:4a on eth1*
> *2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
> *2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking slow rules*
> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
> http_access*
> *2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0is not banned*
> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
> http_access#1*
> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
> SWE_subnets*
> *2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
> <http://10.40.40.110:40595/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
> (10.40.40.0:40595 <http://10.40.40.0:40595>) vs
> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
> *2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:40595 <http://10.40.40.110:40595>' found*
> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
> SWE_subnets = 1*
> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#1 = 1*
> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = 1*
> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer ALLOWED for match*
> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198*
> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950198*
> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc*
> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc*
> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c*
> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c*
> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
> *2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc*
> *2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc*
> *2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8
> checking fast ACLs*
> *2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log stdio:/var/log/squid/access.log*
> *2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log stdio:/var/log/squid/access.log line)*
> *2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
> *2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log stdio:/var/log/squid/access.log = 1*
> *2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xbf950ae8 answer ALLOWED for match*
> *2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8*
> *2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638
> query ARP table*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638
> query ARP on each interface (128 found)*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
> found interface lo*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
> found interface eth2*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
> looking up ARP address for 10.40.40.110 on eth2*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
> found interface eth1*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
> looking up ARP address for 10.40.40.110 on eth1*
> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638
> got address 08:00:27:29:24:4a on eth1*
> *2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
> *2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
> *2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking slow rules*
> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rules)*
> *2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0is not banned*
> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
> localhostgreen*
> *2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
> <http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D>
> (10.40.40.110:35474 <http://10.40.40.110:35474>) vs
> 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:35474 <http://10.40.40.110:35474>' NOT found*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> localhostgreen = 0*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 0*
> *2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/3is not banned*
> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s1_connect*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s1_connect = 1*
> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all*
> *2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
> <http://10.40.40.110:35474/%5B:>:] ([::]:35474) vs [::]-[::]/[::]*
> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 1*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rules) = 1*
> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer ALLOWED for match*
> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
> *2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909)
> httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443
> <http://98.138.253.109:443> remote=10.40.40.110:35474
> <http://10.40.40.110:35474> FD 18 flags=33 method 3*
> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
> checking slow rules*
> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
> http_access*
> *2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0is not banned*
> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
> http_access#1*
> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
> SWE_subnets*
> *2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
> <http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
> (10.40.40.0:35474 <http://10.40.40.0:35474>) vs
> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> SWE_subnets = 1*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#1 = 1*
> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = 1*
> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa214d28 answer ALLOWED for match*
> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking slow rules*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rules)*
> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/0 is banned*
> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/3is not banned*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s1_connect*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s1_connect = 0*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 0*
> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/6is not banned*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s2_client_hello*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s2_client_hello = 1*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> tls_to_splice*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> tls_allowed_hsts*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
> 'www.yahoo.com <http://www.yahoo.com>'*
> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
> .akamaihd.net <http://akamaihd.net>*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
> 'www.yahoo.com <http://www.yahoo.com>' NOT found*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'*
> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:none <> .akamaihd.net <http://akamaihd.net>*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> found*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_allowed_hsts = 0*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> tls_server_is_bank*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
> 'www.yahoo.com <http://www.yahoo.com>'*
> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
> .wellsfargo.com <http://wellsfargo.com>*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
> 'www.yahoo.com <http://www.yahoo.com>' NOT found*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'*
> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
> aclHostDomainCompare: Match:none <> .wellsfargo.com
> <http://wellsfargo.com>*
> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> found*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_server_is_bank = 0*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_to_splice = 0*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 0*
> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'ALLOWED/4is not banned*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> (ssl_bump rule)*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
> tls_s2_client_hello*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> tls_s2_client_hello = 1*
> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all*
> *2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
> <http://10.40.40.110:35474/%5B:>:] ([::]:35474) vs [::]-[::]/[::]*
> *2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rule) = 1*
> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump rules) = 1*
> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer ALLOWED for match*
> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
> *2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
> *2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
> *2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
> *2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
> checking fast rules*
> *2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck:
> aclCheckFast: list: 0x9de0a80*
> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
> sslproxy_cert_error*
> *2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction:
> Action 'DENIED/0is not banned*
> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
> sslproxy_cert_error#1*
> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all*
> *2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
> <http://10.40.40.110:35474/%5B:>:] ([::]:35474) vs [::]-[::]/[::]*
> *2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
> sslproxy_cert_error#1 = 1*
> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
> sslproxy_cert_error = 1*
> *2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xa210ad8 answer DENIED for match*
> *2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed (1/-1/0)*
> *2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68
> checking fast ACLs*
> *2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log stdio:/var/log/squid/access.log*
> *2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log stdio:/var/log/squid/access.log line)*
> *2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
> *2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log stdio:/var/log/squid/access.log = 1*
> *2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xbf950b68 answer ALLOWED for match*
> *2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
> *2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
> *2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong:
> local=98.138.253.109:443 <http://98.138.253.109:443>
> remote=10.40.40.110:35474 <http://10.40.40.110:35474> flags=33*
> *2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28
> checking fast ACLs*
> *2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log stdio:/var/log/squid/access.log*
> *2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log stdio:/var/log/squid/access.log line)*
> *2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
> *2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log stdio:/var/log/squid/access.log = 1*
> *2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xbf950c28 answer ALLOWED for match*
> *2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
> *2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
> *2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
> *2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>
>
> The web browser error says:
> "Failed to establish a secure connection to (a yahoo.com IP address was
> here)"
> and another message of "(71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
> and "Certificate issuer (CA) not known".
>
> On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <stan.prescott at gmail.com
> > wrote:
>
>> Thanks for the info, Alex. That's very helpful about cleaning up my ACLs.
>> Those ACLs are a collection of ACLs that others have suggested I use, but
>> it would be nice to make them less confusing for me.
>>
>> With my limited understanding of how sslbump works, the idea for squid to
>> play MITM is that a self-signed cert like squidCA.der is imported to a
>> browser's root CAs. I have left a copy of the self-signed cert named
>> squidCA.pem in the squid's cert directory which only works if squid is told
>> to not verify the peer. When following the instructions how to generate the
>> self-signed cert with openssl, the .pem file must be converted to a .der
>> file for the browser to accept it. It just dawned on me that, could this be
>> related to the fact that the squid self-signed certs are not named the same?
>>
>> On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <
>> rousskov at measurement-factory.com> wrote:
>>
>>> On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>>>
>>> > ssl_bump none localhostgreen
>>> > ssl_bump peek tls_s1_connect all
>>> > ssl_bump splice tls_s2_client_hello tls_to_splice
>>> > ssl_bump stare tls_s2_client_hello all
>>> > ssl_bump bump tls_s3_server_hello all
>>>
>>> AFAICT, the above is too complex. You can simplify it with:
>>>
>>> ssl_bump splice localhostgreen
>>> ssl_bump peek tls_s1_connect
>>> ssl_bump splice tls_to_splice
>>> ssl_bump stare all
>>> ssl_bump bump all
>>>
>>> and, after polishing your ACLs a little, possibly even with:
>>>
>>> ssl_bump splice transactions_to_splice
>>> ssl_bump peek tls_s1_connect
>>> ssl_bump stare all
>>> ssl_bump bump all
>>>
>>> where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
>>> and tls_to_splice)".
>>>
>>>
>>> As for your original question, I recommend figuring out why Squid cannot
>>> verify the peer. For example, your setup might be missing fresh
>>> certificates for some well-known Root CAs. I do not know a good way to
>>> figure out why peer verification does not work, but analyzing cache.log
>>> with high-enough debugging level should be doable, especially if you can
>>> reproduce the problem using a single transaction:
>>>
>>>
>>> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>>
>>>
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160804/a6bc1991/attachment-0001.html>
More information about the squid-users
mailing list