[squid-users] HTTPS Settings

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 14 05:08:25 UTC 2018 

On 14/12/18 5:39 pm, John Refwe wrote:
> Hi,
> 
> I am writing about assistance with my SSL bump settings.
> 
> My squid conf (this is a simple version I'm using to test this issue) looks as follows:
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> http_access allow all
> sslcrtd_children 2 startup=2 idle=1
> http_port 3129 ssl-bump generate-host-certificates=on cert=/home/Guyfer/ssl_bump.pem options=NO_SSL_v2 
> 

FYI: SSLv2 support have been removed completely from Squid-4. That
includes things like "NO_SSL_v2".


> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> 
> 
> There are a few websites, one of which is https://opts.ssa.gov where I get an error I'm having trouble understanding in the logs.
> 
> My browser shows a screen that reads: "Failed to establish a secure connection to 96.43.153.48. The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"... The cache logs contains the error "kid1| ERROR: negotiating TLS on FD 14: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)"
> 

The weird message is from your OpenSSL library. Apparently the server
being contacted for this transaction is not responding with TLS.


> Now, if I were to modify the ssl bump settings to just be ssl_bump bump all (no peek), things seem to function fine. Am I running into a known limitation of server-first bumping? I have tried this on Squid 4.4 and Squid 4.3.
> 

server-first is more equivalent to bumping at step3. You should use a
"stare" at step2 before bumping for more reliable behaviour. That may
not fix your issue though.


The best way to debug this further is to perform a packet capture of a
test transaction which is failing and look at what the server is sending
to Squid.


Amos

More information about the squid-users mailing list