[squid-users] Working peek/splice no longer functioning on some sites

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 25 10:48:59 UTC 2017 

On 25/11/17 08:30, James Lay wrote:
> Topic says it...this setup has been working well for a long time, but 
> now there are some sites that are failing the TLS handshake.  Here's my 
> setup:
> 
> acl localnet src 192.168.1.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl CONNECT method CONNECT
> acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_Ports
> http_access allow SSL_ports
> http_access allow allowed_http_sites
> http_access deny all
> 
> 
> ssl_bump peek all
> acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
> ssl_bump splice allowed_https_sites
> ssl_bump terminate all


Because you have "peek all" being performed the transaction MUST pass 
your regex patterns with both TLS SNI from the client *and* the server 
certificate SubjectName values. Either one not matching will perform 
that "terminate all" on the TLS handshake.


> 
> sslproxy_cert_error allow all
> sslproxy_capath /etc/ssl/certs
> sslproxy_flags DONT_VERIFY_PEER
> #sslproxy_options ALL


Also, please remove these "*_error allow all" and DONT_VERIFY_PEER lines 
from your config. They are actively harmful.

> 
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> sslcrtd_children 5
> 
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump 
> cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem 
> cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem 
> key=/opt/etc/squid/certs/sslsplit_ca_key.pem 

NP: when cert= and key= are in the same file you do not need to specify 
key=.

> generate-host-certificates=on 
> dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
> 

It is also best to add "sslflags=NO_DEFAULT_CA" to these ports for 
Squid-3. That will save a lot of useless memory overheads.


> 
> logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni 
> %ssl::>cert_subject %>Hs %<st %Ss:%Sh
> 
...
> For example, the file http_url.txt contains:
> 
> account\.elderscrollsonline\.com
> \.elderscrollsonline\.com
> elderscrollsonline\.com
> 
> 
> After doing some reading it looks like this is http2 traffic: 
> https://wiki.squid-cache.org/Features/HTTP2.
> 

There is no sign of HTTP/2 in that PCAP trace. There is SPDY/3 and 
HTTP/1.1 being offered by the client.


If that is from the client to Squid, then please check the matching 
Squid->server for what is going on there.



If the problem remains please try Squid-4. It has more advanced TLS 
capabilities than Squid-3.

Amos

More information about the squid-users mailing list