Dear all,
I recently compiled squid-3.4.9 with ssl-bump support and, although it is working for the most part, I'm having some issues accessing some websites.
The behavior is REALLY weird so I'm going to try and describe it the best I can:
- If i access https://www.google.com/ in Chrome, I could see that it was processing my certificate MOST of the times...
- some other times, it seemed to bypass my proxy altogether and I finally figured out it was because Chrome will try to access QUIC enabled websites using that protocol, so it would bypass my firewall redirect rules! I believe I now have solved this by blocking FORWARDING traffic on port 443 udp...
- the weird thing is that, if I then try and access https://gmail.com, I get a certificate error:
screenshot here: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1
- ...though, sometimes, I can access https://mail.gmail.com/ just fine (without any certificate errors), but stop being able to as soon as I try to access https://gmail.com/ and the browser complains about the certificate.
-- and, according to my tests, I can access it from firefox just fine MOST of the times:
screenshot here: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2
-- though I have also seen situations where Firefox also complains about a certificate error when connecting to gmail.com
- and, although I cannot reproduce it 100% of the times, sometimes, even though I have my iptables redirect rules ON, the browser still seems to "connect direct" (or, at least, it shows it has the original certificate)!
-- like I said, at first, I was able to trace this back to QUIC in Chrome but...I'm currently blocking traffic on port 443 udp so I don't know what's happening here (does it use different ports?!)
So, here are my questions:
- why am I able to successfully ssl-bump https://www.google.com but not https://gmail.com/
- why does the Chrome freakout about gmail but not Firefox?
- Is there a way to fix it OR, at least, to bypass it? (I tried creating an ACL for this and allowing direct traffic but it didn't seem to work...)
-- can we make the connection go direct when ssl certificate errors are detected?
- and has anyone else seen this problem where the browser seems to use the original certificate, even though I'm redirecting traffic to Squid?
Not sure if this is relevant, but here are some ssl errors I caught on my cache.log file:
root@server:/var/log/squid3# tail cache.log
2015/02/05 21:47:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 30: Closed by client
2015/02/05 21:48:23 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 30: Closed by client
2015/02/05 21:48:36 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 96: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
2015/02/05 21:48:54 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 105: Closed by client
2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 79: Broken pipe (32)
2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 54: Broken pipe (32)
2015/02/05 21:49:24 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 79: Closed by client
2015/02/05 21:49:55 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 26: Closed by client
2015/02/05 21:50:26 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 45: Closed by client
2015/02/05 21:50:56 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 68: Closed by client
root@server:/var/log/squid3#
By the way, here's how I generated my certificate:
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out certificate.der
(note: myCA.pem is the certificate that squid is using and certificate.der is the one I've been installing on the client computers)
And here's what my current squid.conf looks like:
root@server:/etc/squid3/ssl_cert# cat /etc/squid3/squid.conf
#Access Lists
acl home_network src 192.168.200.0/24
#Ports allowed through Squid
acl Safe_ports port 80 #http
acl Safe_ports port 443 #https
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
#allow/deny
http_access allow home_network
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem
acl broken_sites dstdomain .gmail.com
ssl_bump none localhost
ssl_bump none broken_sites
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/share/squid3/var/lib/ssl_db -M 4MB
sslcrtd_children 5
#caching directory
cache_dir ufs /var/spool/squid3 1024 16 128
cache_mem 1024 MB
#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
dns_nameservers 8.8.8.8
#rewrite program
redirect_program /etc/squid3/filter.php
root@server:/etc/squid3/ssl_cert#
Thanks in advance,
Luis
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users