[squid-users] Squid 4.12 Arch Linux Google Chrome fails - OpenSSL 1.1.1g (was Re: SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo)
Amish
anon.amish at gmail.com
Mon Jun 29 15:18:12 UTC 2020
On 16/06/20 1:13 pm, Loučanský Lukáš wrote:
> But the client on the intercepted connection (via changed routing table under mikrotik and then prerouted to correct squid ports for http and ssl traffic) running Chrome 83 http://download.kjj.cz/pub/ssl/idnes.cz_chrome.83.0.4103.97.pcapng sends ClientHello - and no ServerHello is received. I've tcpdumped outgoing interface on the squid box - and there was no actual connection to the desired server.
> In the access.log there is something like 1592212170.495 2 10.0.0.40 NONE_ABORTED/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
>
> But - same client, same network, same network running Firefox 77 http://download.kjj.cz/pub/ssl/idnes.cz_firefox.77.0.1.pcapng gets ServerHello after it's ClientHello - they exchange information, exchange ciphers etc. and the web page is loaded. I've checked https certificate details - it's been issued by my CA.
>
>
> access.log:
>
> 1592212156.764 8 10.0.0.40 TCP_MISS/301 196 GET http://idnes.cz/ - ORIGINAL_DST/185.17.117.32 -
> 1592212156.774 2 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
> 1592212156.825 38 10.0.0.40 TCP_MISS/302 777 GET https://idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
> 1592212156.840 7 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
> 1592212156.893 28 10.0.0.40 TCP_CLIENT_REFRESH_MISS/200 40086 GET https://www.idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
>
>
> So in Firefox - it seems to be working
I am using Arch Linux and today I upgraded squid to 4.12 (from 4.10)
I am observing very similar issue.
Clients make HTTPS request via CONNECT to port 8080.
I have configured SSL bump but it is "effectively" deactivated via
following ACL
http_port 8080 ssl-bump generate-host-certificates=on
tls-cert=/etc/squid/ssl_cert/squid.pem
tls-dh=prime256v1:/etc/squid/ssl_cert/dhparam.pem
tls_outgoing_options cafile=/etc/ssl/cert.pem
tls_outgoing_options
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_bump splice ssl_step1 nosslbump_ips # (acl type src)
ssl_bump peek ssl_step1
ssl_bump splice nosslbump_domains # (acl type ssl::server_name_regex)
(more ssl_bump lines not shown)
nosslbump_domains contains ".*" - so effectively nothing is bumped.
Firefox and IE work fine. But in Google chrome - sites dont open.
Access log shows NONE_ABORTED (for google chrome).
And packet sniffer shows FIN, ACK sent by squid. (I have not gone in
details as I dont understand packet details)
Am I doing anything wrong? If not, then is there any temporary
workaround without downgrading squid?
Please guide,
Thank you
Amish.
More information about the squid-users
mailing list