[squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol

David Touzeau david at articatech.com
Mon Jan 23 23:28:45 UTC 2017 

Same issue with https://www.digitalocean.com/
is somebody did not encounter the issue using Squid in transparent mode with SSL ??


-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de David Touzeau
Envoyé : dimanche 22 janvier 2017 19:49
À : squid-users at lists.squid-cache.org
Objet : [squid-users] [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol


Hi

I'm using SSL transparent method :

https_port 0.0.0.0:53695  intercept disable-pmtu-discovery=transparent
name=MyPortNameID22 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/cb623e9bfc65772f68b84393604cd6ea.dyn

sslproxy_foreign_intermediate_certs /etc/squid3/intermediate_ca.pem sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/squid/session/ssl/ssl_db -M 8MB sslcrtd_children 16 startup=5 idle=1

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all

As you can see squid just intercept ssl queries and bump nothing ( just to filter connections from url_rewrite program  and log ssl connections )

When connecting to mozilla.org using transparent, we receive this error:

* About to connect() to www.mozilla.org port 443 (#0)
*   Trying 104.16.41.2...
* connected
* Connected to www.mozilla.org (104.16.41.2) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol


And squid access.log

1485110919.564      3 192.168.1.236 TAG_NONE/403 6263 CONNECT
104.16.41.2:443 - HIER_NONE/- text/html

When using squid using standard port ( connected port/TUNNEL ) mozilla is correctly dispalyed without any error.


How to whitelist mozilla.org without create a bypass iptables rule  ?


Best regards




_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list