Re: Does anyone know how to make SSL bump work?

"Treker Chen" <treker.chen@xxxxxxxxx> · Thu, 29 May 2008 21:23:40 +0800

>
> That error looks like your ACL are denying access somewhere. Is there a peer
> configured and never_direct lines anywhere?

Nope, there is no peer or never_direct configured, the following is
the entire squid.conf with # filtered

debian40r3:/usr/local/squid# more etc/squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow CONNECT !SSL_ports

http_access allow localnet

http_access allow all

icp_access allow localnet
icp_access deny all

htcp_access allow localnet
htcp_access deny all

http_port 3128 sslBump cert=/usr/local/squid/etc/apache.crt
key=/usr/local/squid/etc/apache.pem
ssl_bump allow all

hierarchy_stoplist cgi-bin ?

access_log /usr/local/squid/var/logs/access.log squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320

visible_hostname ED_proxy

icp_port 3130

#always_direct allow all

icap_enable off
icap_service service_1 reqmod_precache 0 icap://localhost:1344/reqmod
coredump_dir /usr/local/squid/var/cache

debug_options ALL,1 28,9

>
> You can trace the ACL actions in cache.log with debug_options ALL,1 28,9
>

2008/05/29 21:04:35.770| aclCheckFast: list: 0x8395c00
2008/05/29 21:04:35.770| ACLChecklist::preCheck: 0xbfd8dfa8 checking
'ident_lookup_access deny all'
2008/05/29 21:04:35.770| ACLList::matches: checking all
2008/05/29 21:04:35.770| ACL::checklistMatches: checking 'all'
2008/05/29 21:04:35.770| aclIpMatchIp: '192.168.1.101:2498' found
2008/05/29 21:04:35.770| ACL::ChecklistMatches: result for 'all' is 1
2008/05/29 21:04:35.770| ACLList::matches: result is true
2008/05/29 21:04:35.770| aclmatchAclList: 0xbfd8dfa8 returning true
(AND list satisfied)
2008/05/29 21:04:35.770| ACLChecklist::markFinished: 0xbfd8dfa8
checklist processing finished
2008/05/29 21:04:35.770| ACLChecklist::~ACLChecklist: destroyed 0xbfd8dfa8
2008/05/29 21:04:35.781| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow manager localhost'
2008/05/29 21:04:35.781| ACLList::matches: checking manager
2008/05/29 21:04:35.781| ACL::checklistMatches: checking 'manager'
2008/05/29 21:04:35.781| ACL::ChecklistMatches: result for 'manager' is 0
2008/05/29 21:04:35.781| ACLList::matches: result is false
2008/05/29 21:04:35.781| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:35.781| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:35.781| ACLChecklist::preCheck: 0x8613c40 checking
'http_access deny manager'
2008/05/29 21:04:35.781| ACLList::matches: checking manager
2008/05/29 21:04:35.781| ACL::checklistMatches: checking 'manager'
2008/05/29 21:04:35.781| ACL::ChecklistMatches: result for 'manager' is 0
2008/05/29 21:04:35.781| ACLList::matches: result is false
2008/05/29 21:04:35.781| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:35.781| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:35.781| ACLChecklist::preCheck: 0x8613c40 checking
'http_access deny !Safe_ports'
2008/05/29 21:04:35.781| ACLList::matches: checking !Safe_ports
2008/05/29 21:04:35.781| ACL::checklistMatches: checking 'Safe_ports'
2008/05/29 21:04:35.781| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2008/05/29 21:04:35.781| ACLList::matches: result is false
2008/05/29 21:04:35.781| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:35.781| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:35.781| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow CONNECT !SSL_ports'
2008/05/29 21:04:35.781| ACLList::matches: checking CONNECT
2008/05/29 21:04:35.781| ACL::checklistMatches: checking 'CONNECT'
2008/05/29 21:04:35.781| ACL::ChecklistMatches: result for 'CONNECT' is 0
2008/05/29 21:04:35.781| ACLList::matches: result is false
2008/05/29 21:04:35.781| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:35.781| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:35.781| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow localnet'
2008/05/29 21:04:35.781| ACLList::matches: checking localnet
2008/05/29 21:04:35.781| ACL::checklistMatches: checking 'localnet'
2008/05/29 21:04:35.781| aclIpMatchIp: '192.168.1.101:2498' found
2008/05/29 21:04:35.781| ACL::ChecklistMatches: result for 'localnet' is 1
2008/05/29 21:04:35.781| ACLList::matches: result is true
2008/05/29 21:04:35.781| aclmatchAclList: 0x8613c40 returning true
(AND list satisfied)
2008/05/29 21:04:35.781| ACLChecklist::markFinished: 0x8613c40
checklist processing finished
2008/05/29 21:04:35.781| ACLChecklist::check: 0x8613c40 match found,
calling back with 1
2008/05/29 21:04:35.781| ACLChecklist::checkCallback: 0x8613c40 answer=1
2008/05/29 21:04:35.781| ACLChecklist::~ACLChecklist: destroyed 0xbfd8dc40
2008/05/29 21:04:35.782| aclCheckFast: list: 0
2008/05/29 21:04:35.782| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.782| ACLChecklist::~ACLChecklist: destroyed 0xbfd8daac
2008/05/29 21:04:35.782| ACLChecklist::~ACLChecklist: destroyed 0xbfd8d860
2008/05/29 21:04:35.782| ACLChecklist::~ACLChecklist: destroyed 0xbfd8d874
2008/05/29 21:04:35.782| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| aclCheckFast: list: 0
2008/05/29 21:04:35.902| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:35.902| ACLChecklist::~ACLChecklist: destroyed 0xbfd8dd9c
2008/05/29 21:04:35.903| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
2008/05/29 21:04:40.729| aclCheckFast: list: 0x8395c00
2008/05/29 21:04:40.729| ACLChecklist::preCheck: 0xbfd8dfa8 checking
'ident_lookup_access deny all'
2008/05/29 21:04:40.729| ACLList::matches: checking all
2008/05/29 21:04:40.729| ACL::checklistMatches: checking 'all'
2008/05/29 21:04:40.729| aclIpMatchIp: '192.168.1.101:2505' found
2008/05/29 21:04:40.729| ACL::ChecklistMatches: result for 'all' is 1
2008/05/29 21:04:40.729| ACLList::matches: result is true
2008/05/29 21:04:40.729| aclmatchAclList: 0xbfd8dfa8 returning true
(AND list satisfied)
2008/05/29 21:04:40.729| ACLChecklist::markFinished: 0xbfd8dfa8
checklist processing finished
2008/05/29 21:04:40.729| ACLChecklist::~ACLChecklist: destroyed 0xbfd8dfa8
2008/05/29 21:04:40.730| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow manager localhost'
2008/05/29 21:04:40.730| ACLList::matches: checking manager
2008/05/29 21:04:40.730| ACL::checklistMatches: checking 'manager'
2008/05/29 21:04:40.730| ACL::ChecklistMatches: result for 'manager' is 0
2008/05/29 21:04:40.730| ACLList::matches: result is false
2008/05/29 21:04:40.730| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.730| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.730| ACLChecklist::preCheck: 0x8613c40 checking
'http_access deny manager'
2008/05/29 21:04:40.730| ACLList::matches: checking manager
2008/05/29 21:04:40.730| ACL::checklistMatches: checking 'manager'
2008/05/29 21:04:40.730| ACL::ChecklistMatches: result for 'manager' is 0
2008/05/29 21:04:40.730| ACLList::matches: result is false
2008/05/29 21:04:40.730| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.730| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.730| ACLChecklist::preCheck: 0x8613c40 checking
'http_access deny !Safe_ports'
2008/05/29 21:04:40.730| ACLList::matches: checking !Safe_ports
2008/05/29 21:04:40.730| ACL::checklistMatches: checking 'Safe_ports'
2008/05/29 21:04:40.730| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2008/05/29 21:04:40.730| ACLList::matches: result is false
2008/05/29 21:04:40.731| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.731| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.731| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow CONNECT !SSL_ports'
2008/05/29 21:04:40.731| ACLList::matches: checking CONNECT
2008/05/29 21:04:40.731| ACL::checklistMatches: checking 'CONNECT'
2008/05/29 21:04:40.731| ACL::ChecklistMatches: result for 'CONNECT' is 1
2008/05/29 21:04:40.731| ACLList::matches: result is true
2008/05/29 21:04:40.731| ACLList::matches: checking !SSL_ports
2008/05/29 21:04:40.731| ACL::checklistMatches: checking 'SSL_ports'
2008/05/29 21:04:40.731| ACL::ChecklistMatches: result for 'SSL_ports' is 1
2008/05/29 21:04:40.731| ACLList::matches: result is false
2008/05/29 21:04:40.731| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.731| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.731| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow localnet'
2008/05/29 21:04:40.731| ACLList::matches: checking localnet
2008/05/29 21:04:40.731| ACL::checklistMatches: checking 'localnet'
2008/05/29 21:04:40.731| aclIpMatchIp: '192.168.1.101:2505' found
2008/05/29 21:04:40.731| ACL::ChecklistMatches: result for 'localnet' is 1
2008/05/29 21:04:40.731| ACLList::matches: result is true
2008/05/29 21:04:40.731| aclmatchAclList: 0x8613c40 returning true
(AND list satisfied)
2008/05/29 21:04:40.731| ACLChecklist::markFinished: 0x8613c40
checklist processing finished
2008/05/29 21:04:40.731| ACLChecklist::check: 0x8613c40 match found,
calling back with 1
2008/05/29 21:04:40.731| ACLChecklist::checkCallback: 0x8613c40 answer=1
2008/05/29 21:04:40.731| ACLChecklist::~ACLChecklist: destroyed 0xbfd8dc40
2008/05/29 21:04:40.731| aclCheckFast: list: 0x8395bc0
2008/05/29 21:04:40.731| ACLChecklist::preCheck: 0xbfd8db24 checking
'ssl_bump allow all'
2008/05/29 21:04:40.731| ACLList::matches: checking all
2008/05/29 21:04:40.731| ACL::checklistMatches: checking 'all'
2008/05/29 21:04:40.731| aclIpMatchIp: '192.168.1.101:2505' found
2008/05/29 21:04:40.731| ACL::ChecklistMatches: result for 'all' is 1
2008/05/29 21:04:40.731| ACLList::matches: result is true
2008/05/29 21:04:40.731| aclmatchAclList: 0xbfd8db24 returning true
(AND list satisfied)
2008/05/29 21:04:40.731| ACLChecklist::markFinished: 0xbfd8db24
checklist processing finished
2008/05/29 21:04:40.731| ACLChecklist::~ACLChecklist: destroyed 0xbfd8db24
2008/05/29 21:04:40.731| ACLChecklist::~ACLChecklist: destroyed 0x8613c40
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMABAIANQQgvRoVpBJUzK85rUPolDqn1OMKmwjqv3azFRrHAt2IdJ0E
MFNVEsz3JTg85+zeRWR8e8SNLPrQoDEzJpG01YjXYMZ/0jq8LscBexSWGmrO1Tq1
yaEGAgRIPqnoogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2008/05/29 21:04:40.746| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow manager localhost'
2008/05/29 21:04:40.746| ACLList::matches: checking manager
2008/05/29 21:04:40.746| ACL::checklistMatches: checking 'manager'
2008/05/29 21:04:40.747| ACL::ChecklistMatches: result for 'manager' is 0
2008/05/29 21:04:40.747| ACLList::matches: result is false
2008/05/29 21:04:40.747| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.747| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.747| ACLChecklist::preCheck: 0x8613c40 checking
'http_access deny manager'
2008/05/29 21:04:40.747| ACLList::matches: checking manager
2008/05/29 21:04:40.747| ACL::checklistMatches: checking 'manager'
2008/05/29 21:04:40.747| ACL::ChecklistMatches: result for 'manager' is 0
2008/05/29 21:04:40.747| ACLList::matches: result is false
2008/05/29 21:04:40.747| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.747| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.747| ACLChecklist::preCheck: 0x8613c40 checking
'http_access deny !Safe_ports'
2008/05/29 21:04:40.747| ACLList::matches: checking !Safe_ports
2008/05/29 21:04:40.747| ACL::checklistMatches: checking 'Safe_ports'
2008/05/29 21:04:40.747| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2008/05/29 21:04:40.747| ACLList::matches: result is false
2008/05/29 21:04:40.747| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.747| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.747| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow CONNECT !SSL_ports'
2008/05/29 21:04:40.747| ACLList::matches: checking CONNECT
2008/05/29 21:04:40.747| ACL::checklistMatches: checking 'CONNECT'
2008/05/29 21:04:40.747| ACL::ChecklistMatches: result for 'CONNECT' is 0
2008/05/29 21:04:40.747| ACLList::matches: result is false
2008/05/29 21:04:40.747| aclmatchAclList: 0x8613c40 returning false
(AND list entry failed to match)
2008/05/29 21:04:40.747| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2008/05/29 21:04:40.747| ACLChecklist::preCheck: 0x8613c40 checking
'http_access allow localnet'
2008/05/29 21:04:40.747| ACLList::matches: checking localnet
2008/05/29 21:04:40.747| ACL::checklistMatches: checking 'localnet'
2008/05/29 21:04:40.747| aclIpMatchIp: '192.168.1.101:2505' found
2008/05/29 21:04:40.747| ACL::ChecklistMatches: result for 'localnet' is 1
2008/05/29 21:04:40.747| ACLList::matches: result is true
2008/05/29 21:04:40.747| aclmatchAclList: 0x8613c40 returning true
(AND list satisfied)
2008/05/29 21:04:40.747| ACLChecklist::markFinished: 0x8613c40
checklist processing finished
2008/05/29 21:04:40.747| ACLChecklist::check: 0x8613c40 match found,
calling back with 1
2008/05/29 21:04:40.747| ACLChecklist::checkCallback: 0x8613c40 answer=1
2008/05/29 21:04:40.747| ACLChecklist::~ACLChecklist: destroyed 0xbfd8dc40
2008/05/29 21:04:40.747| aclCheckFast: list: 0
2008/05/29 21:04:40.747| aclCheckFast: no matches, returning: 1
2008/05/29 21:04:40.747| ACLChecklist::~ACLChecklist: destroyed 0xbfd8daac
2008/05/29 21:04:40.747| Failed to select source for
'https://ebank.bot.com.tw/Default.asp?ITrnTm=1212066247359'
2008/05/29 21:04:40.747|   always_direct = 0
2008/05/29 21:04:40.747|    never_direct = 0
2008/05/29 21:04:40.747|        timedout = 0

And if i set "always_direct allow all" in squid.conf, then i can
connect to https website without problem, but i don't think the SSL
Bump is work under this condition because i saw the certification of
the website is valid. though at the begging browser will show up the
warning of invalid ssl certificate.

Regards
Treker