|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First. Where is you cache can found openssl public CA certs? To validate connection from cache to server Squid must see root authority CA's. I.e (from my configuration. Note: all google services bumped and works perfectly): https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key capath=/etc/opt/csw/ssl/certs Second. OpenSSL CA's bundle is not complete. You must add ALL intermediate and absent root CA's and make c_rehash. Third. Where is sslproxy_cert_error allow all and sslproxy_flags DONT_VERIFY_PEER in your configuration? Yes, this is dangerous, but permit to suppress errors on some sites. And finally - you can't bypass ssl bump on 3.4.x using dstdomain ACL's. Only IP-based DST acl's usable. Regards, Yuri. 06.02.2015 11:10, Luis Miguel Silva пишет: > Dear all, > > I recently compiled squid-3.4.9 with ssl-bump support and, although it is working for the most part, I'm having some issues accessing some websites. > > The behavior is REALLY weird so I'm going to try and describe it the best I can: > - If i access https://www.google.com/ in Chrome, I could see that it was processing my certificate MOST of the times... > *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg > - some other times, it seemed to bypass my proxy altogether and I finally figured out it was because Chrome will try to access QUIC enabled websites using that protocol, so it would bypass my firewall redirect rules! I believe I now have solved this by blocking FORWARDING traffic on port 443 udp... > - the weird thing is that, if I then try and access https://gmail.com <https://gmail.com/>, I get a certificate error: > *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1 > - ...though, sometimes, I can access https://mail.gmail.com/ just fine (without any certificate errors), but stop being able to as soon as I try to access https://gmail.com/ and the browser complains about the certificate. > -- and, according to my tests, I can access it from firefox just fine MOST of the times: > *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2 > -- though I have also seen situations where Firefox also complains about a certificate error when connecting to gmail.com <http://gmail.com/> > - and, although I cannot reproduce it 100% of the times, sometimes, even though I have my iptables redirect rules ON, the browser still seems to "connect direct" (or, at least, it shows it has the original certificate)! > -- like I said, at first, I was able to trace this back to QUIC in Chrome but...I'm currently blocking traffic on port 443 udp so I don't know what's happening here (does it use different ports?!) > > So, here are *my questions*: > - why am I able to successfully ssl-bump https://www.google.com <https://www.google.com/> but not https://gmail.com/ > - why does the Chrome freakout about gmail but not Firefox? > - Is there a way to fix it OR, at least, to bypass it? (I tried creating an ACL for this and allowing direct traffic but it didn't seem to work...) > -- can we make the connection go direct when ssl certificate errors are detected? > - and has anyone else seen this problem where the browser seems to use the original certificate, even though I'm redirecting traffic to Squid? > > Not sure if this is relevant, but here are some ssl errors I caught on my cache.log file: > root@server:/var/log/squid3# tail cache.log > 2015/02/05 21:47:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 30: Closed by client > 2015/02/05 21:48:23 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 30: Closed by client > 2015/02/05 21:48:36 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 96: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) > 2015/02/05 21:48:54 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 105: Closed by client > 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 79: Broken pipe (32) > 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 54: Broken pipe (32) > 2015/02/05 21:49:24 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 79: Closed by client > 2015/02/05 21:49:55 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 26: Closed by client > 2015/02/05 21:50:26 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 45: Closed by client > 2015/02/05 21:50:56 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 68: Closed by client > root@server:/var/log/squid3# > > By the way, here's how I generated my certificate: > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem > openssl x509 -in myCA.pem -outform DER -out certificate.der > (note: myCA.pem is the certificate that squid is using and certificate.der is the one I've been installing on the client computers) > > And here's what my current squid.conf looks like: > root@server:/etc/squid3/ssl_cert# cat /etc/squid3/squid.conf > #Access Lists > acl home_network src 192.168.200.0/24 <http://192.168.200.0/24> > > #Ports allowed through Squid > acl Safe_ports port 80 #http > acl Safe_ports port 443 #https > acl SSL_ports port 443 > acl SSL method CONNECT > acl CONNECT method CONNECT > > #allow/deny > http_access allow home_network > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny all > > http_port 3128 > http_port 3129 intercept > https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem > acl broken_sites dstdomain .gmail.com <http://gmail.com/> > ssl_bump none localhost > ssl_bump none broken_sites > ssl_bump server-first all > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/share/squid3/var/lib/ssl_db -M 4MB > sslcrtd_children 5 > > #caching directory > cache_dir ufs /var/spool/squid3 1024 16 128 > cache_mem 1024 MB > > #refresh patterns for caching static files > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private > refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private > refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private > refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 > refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 > refresh_pattern . 0 40% 40320 > > dns_nameservers 8.8.8.8 > > #rewrite program > redirect_program /etc/squid3/filter.php > root@server:/etc/squid3/ssl_cert# > > Thanks in advance, > Luis > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU1HWtAAoJENNXIZxhPexGiRcH/A2QfRyPsmM9LhKR6ZuqTfhR AWyg8omvGOeKwo5W0Czb/Qqo4XhtIe+jcXxFqmrvL+zxmrl66tRXp0mBDmp1FMPW kC93hIYn72NZiThPmchqOZ/4IuUNOyJT1ll/Uef7Kr/saIF0zXMh2lkoNR5HCvhN 0nb3dW0QSSivASYB3/0Mm0szCQqLSx/zgIbdCvmlX9H3VwWM/uE88Nfp+CAHygIO t5vioJbCTPjyFqV2QkX//fuU1ePZC1VrTw5//nMjXfCbpXjLZtgz15ubDcCH3vZ1 beMYpGYbvHUk+hxrwjW394Q+pSAso79x5hwUO3PlZAsKUx/RdhzI91VVRRO9mfE= =N+mL -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
