[squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

David Touzeau david at articatech.com
Sun Jan 22 18:48:47 UTC 2017


Hi

I'm using SSL transparent method :

https_port 0.0.0.0:53695  intercept disable-pmtu-discovery=transparent
name=MyPortNameID22 ssl-bump  generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn

sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M
8MB
sslcrtd_children 16 startup=5 idle=1

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all

As you can see squid just intercept ssl queries and bump nothing ( just to
filter connections from url_rewrite program  and log ssl connections )

When connecting to mozilla.org using transparent, we receive this error:

* About to connect() to www.mozilla.org port 443 (#0)
*   Trying 104.16.41.2...
* connected
* Connected to www.mozilla.org (104.16.41.2) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol


And squid access.log

1485110919.564      3 192.168.1.236 TAG_NONE/403 6263 CONNECT
104.16.41.2:443 - HIER_NONE/- text/html

When using squid using standard port ( connected port/TUNNEL ) mozilla is
correctly dispalyed without any error.


How to whitelist mozilla.org without create a bypass iptables rule  ?


Best regards






More information about the squid-users mailing list