Hi Eliezer,
I can tell you that we have come across specific sites that were OK
being bumped in squeeze (which comes with OpenSSL 0.9.8) did not work in
wheezy, which uses 1.0.1.
Here are the example sites we found so far (in the form of acls):
acl nobump dstdomain .cardsonline-commercial.com
acl nobump dstdomain .nwolb.com
acl nobump dstdomain .studentloanrepayment.co.uk
acl nobump dstdomain .shareview.co.uk
acl nobump dstdomain .cahoot.com
acl nobump dstdomain .firstdirect.com
acl nobump dstdomain .nab.com.au
acl nobump dstdomain .rbs.co.uk
I think it's something to do with TLS 1.2 vs SSL3 negotiation. And from
testing with sslclient it seems it decides to ignore quite a lot of
installed CA certs, and sslclient will fail unless I specifically point
to to the CA cert the relevant site uses.
Thanks
Alex
On 11/07/13 21:03, Eliezer Croitoru wrote:
Hey Alex,
I am unsure about the reason of breakage of these sites since I have
never used squid SSL-BUMP else then compiling it yet.
Claiming it's a specific version of OpenSSL is quite a claim.
If you have tried with another version I would say you can claim it.
I would say that breaking any full duplex protocol is always seems like
a bad idea to me.
I have seen other systems that *breaks* and bump ssl connections like
gmail and other sites.
And since I have seen other software *results* I would say the reason is
probably not OpenSSl directly but I cannot prove it yet.
I do hope that you can give examples to sites that do not play well with
SSLBump so I and others can test it.
If we test we can try to fix and debug it.
Please take your time and give a list of sites that can be tested which
are not banks or money originations to make sure that the root and
source of the problem with SSL-BUMP is one way or another solvable.
If you can take a sec to file at http://bugs.squid-cache.org/ it will
help the project a lot.
Thanks,
Eliezer
On 07/11/2013 10:39 PM, Alex Crow wrote:
Hi Eliezer,
I build .debs for squeeze, basically copying the debian subdir from the
source packages into the extracted archives and adjusting accordingly
(ie modifying Changelog and deleteting old patches) I tried wheezy but
the OpenSSL 1.0.1 horribly breaks *loads* of sites when using SSLBump.
Cheers
Alex
On 11/07/13 20:30, Eliezer Croitoru wrote:
Squid 3.3.7 is out and there was a new leak that was fixed and might
caused the problem you are referring to.
If you have used my RPM there is an update to 3.3.6 which not includes
the latest patches and a 3.3.7 with all the patches will probably be out
next week since it builds fine.
What version of linux are you using?
Eliezer
On 07/11/2013 08:32 PM, Alex Crow wrote:
Hi all,
I've been running 3.3.5 with NTLM auth an icap service (c-icap with
clamav) and SSL Bump/Dynamic cert, and I've noticed that the squid3
process rapidly consumes almost all of my RAM (12G) within just a few
hours:
16143 proxy 20 0 8554m 8.2g 5788 S 0 69.6 35:09.43 squid3
My cache_mem is 4GB, and my disk cache is 48GB, which should, according
to estimates, use between 4.5 and 5.5G. (We only have about 350 users).
We were quite happily using 3.2.11 with the same parameters. Has anyone
else noticed very high memory usage with Squid 3.3.x in a similar setup?
Thanks
Alex
