[squid-users] How to intercept ssl_bump transparent NAT https websites

Amos Jeffries squid3 at treenet.co.nz
Wed May 31 14:14:59 UTC 2017


On 31/05/17 20:15, Andi wrote:
> Squid 3.5.25 + Squidclamav(c-icap) + SquidGuard
> Here are the logs with SSL_ERROR_RX_RECORD_TOO_LONG in Firefox by 
> debug_options ALL,1 11,2 and 61,5
> https://mega.nz/#!dIdAkYra!aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk 
> <https://mega.nz/#%21dIdAkYra%21aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk>
>
> Here the squid.conf & squidguard.conf
> https://pastebin.com/v2LA8CcR
>

I see your SG is trying to redirect HTTPS tunnels (which are essentially 
collections of multiple transactions) to a single HTTP plain-text page 
URL (singular). There is a bug in Squid that is dutifully (but wrongly) 
sending that response back as-is to the client. But since this is just 
an intercepted TCP connection at this point the browser just mistakes it 
for bogus TLS handshake bytes.
  I think I saw some patches from Christos fixing some of this a while 
back, but do not recall if they made it into Squid-3. There is a lot of 
SSL-Bump redesign that only exists in Squid-4 these days.

SG should never be sent CONNECT messages anyway - it does not understand 
them, never has AFAIK. So the workaround is simply to enforce that like so:

  url_redirect_access deny CONNECT

Squid will then do any relevant bumping and pass SG the decrypted 
messages you actually want it to manage.

Amos



More information about the squid-users mailing list