[squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol
David Touzeau
david at articatech.com
Sun Jan 22 18:48:47 UTC 2017
Hi
I'm using SSL transparent method :
https_port 0.0.0.0:53695 intercept disable-pmtu-discovery=transparent
name=MyPortNameID22 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn
sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem
sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M
8MB
sslcrtd_children 16 startup=5 idle=1
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
As you can see squid just intercept ssl queries and bump nothing ( just to
filter connections from url_rewrite program and log ssl connections )
When connecting to mozilla.org using transparent, we receive this error:
* About to connect() to www.mozilla.org port 443 (#0)
* Trying 104.16.41.2...
* connected
* Connected to www.mozilla.org (104.16.41.2) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol
And squid access.log
1485110919.564 3 192.168.1.236 TAG_NONE/403 6263 CONNECT
104.16.41.2:443 - HIER_NONE/- text/html
When using squid using standard port ( connected port/TUNNEL ) mozilla is
correctly dispalyed without any error.
How to whitelist mozilla.org without create a bypass iptables rule ?
Best regards
More information about the squid-users
mailing list