[squid-users] SSL3_GET_SERVER_CERTIFICATE failed
Amos Jeffries
squid3 at treenet.co.nz
Mon Dec 11 02:24:09 UTC 2017
On 11/12/17 14:06, G~D~Lunatic wrote:
> my squid is a transparent proxy.
You have an interception proxy. It is modifying the TCP/IP packets with
NAT and the TLS handshakes with SSL-Bump stare+bump.
<https://tools.ietf.org/html/rfc3040#section-2.1>
<https://tools.ietf.org/html/rfc3040#section-2.5>
To be properly a "transparent proxy" requires use of TPROXY interception
on the http_port and peek+splice on the ssl_bump.
> when i use WeChat client upload file or picture, it failed.
Please explain "it failed".
What does the client receive ?
What is received when it does not fail ?
Please also be aware that securely written App's use "certificate
pinning" or similar mechanisms to ensure their traffic is not
intercepted / bump'ed. There is nothing Squid can do about those - they
*will* fail if bumping is attempted.
> the access.log shows that
> 1512953345.798 75 192.168.51.15 TAG_NONE/200 0 CONNECT
> 111.206.23.97:443 - ORIGINAL_DST/111.206.23.97 -
The above is a TCP connection reaching SSL-Bump step2 bump'ing. No TLS
SNI was provided by the client.
> 1512953345.805 0 192.168.51.15 TAG_NONE/503 4380 POST
> https://msg.71.am/v5/ypt/hcdn_multicurl - HIER_NONE/- text/html
The above looks like Squid delivering an error about something going
wrong in the TLS handshake. IIRC Alex already mentioned to you that
Squid bump's these TLS handshakes with invalid certs to deliver errors
in a way that Browsers will display.
It may or may not be related to the earlier CONNECT line. Details of the
error are found within the encrypted 503 response itself, not logged.
The below are all different TCP connections being stare'd at step1.
> 1512953349.713 10 192.168.51.15 TAG_NONE/200 0 CONNECT
> 101.226.152.108:443 - HIER_NONE/- -
> 1512953350.931 10 192.168.51.15 TAG_NONE/200 0 CONNECT
> 123.151.76.49:443 - HIER_NONE/- -
> 1512953354.059 11 192.168.51.15 TAG_NONE/200 0 CONNECT
> 123.151.76.49:443 - HIER_NONE/- -
>
> i used wireshark catch the package, Encrypted Alert was shown.
> i want to know where the problem or how i can do.
The only int of a problem is that 503 being generated by Squid due to
something unknown. No details of what might be causing that are visible
in any of the info you provided.
> Here is my configure
>
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2
>
When cert= and key= are the same file, you do not have to configure the
key= option.
The dynamic_cert_mem_cache_size=4MB is the default value, no need to
configure defaults explicitly like that.
One test to try is removing that options= setting. If the problem goes
away then the client TLS handshake is requiring SSL. Use of that
protocol is bad, but still sometimes unavoidable.
>
> acl broken_sites ssl::server_name matchweb.sports.qq.com
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump splice broken_sites
> #ssl_bump splice all
> ssl_bump stare ssl_step1
> ssl_bump bump ssl_step2
> ssl_bump terminate ssl_step3
>
The absence of a stare at step2 prohibits the ability of Squid to mimic
server details in the TLS handshake it delivers to the client. Without
mimic the chances of TLS failure get *much* greater.
Amos
More information about the squid-users
mailing list