Search squid archive

Error when using peek/splice/terminate with Squid 3.5.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

 

I am trying to configure an intercept proxy with peek/splice/terminate features in Squid 3.5.1 on CentOS 7 - 64 bit. I wanted to peak at steps 1 and step 2 and to decide on terminate on step 3 based on the SNI and server certificate values. It is working only for https://www.google.com, but lot of other ssl sites (likes of https://www.yahoo.com etc) are not getting loaded logging an “ Error negotiating SSL on FD 36: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext   in the cache.log (trying the same sites using openssl s_client command works). I was wondering if it has to do anything with my config or open ssl (version 1.0.1e) or anything else. The web sites are being accessed from a windows 7 workstation with IE 8 and Firefox 35.0.1 . Below is the squid.config section for peek and splice I am using.

 

acl step1 at_step  SslBump1

acl step2 at_step  SslBump2

acl step3 at_step  SslBump3

 

external_acl_type SSL_URL_Filter %SRC %ssl::>sni %ssl::<cert_subject </path/to/urlfilterscript>

acl URL_Allowed external SSL_URL_Filter

 

ssl_bump peek step1 all

ssl_bump peek step2 all 

ssl_bump terminate step3 !URL_Allowed

ssl_bump splice step3 all

 

# Squid normally listens to port 3128

http_port 3128

http_port 3129 intercept

https_port 3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem

 

Thanks in Advance,

John

Visit our Website at www.rmesi.co.in

This message is confidential and should not be copied or disclosed to anyone. If this email has come to you in error, please delete it, along with any attachments. Any views or opinions presented are only those of the author and not those of RMESI. RMESI accepts no liability for any loss or damage which may be caused by software viruses and it is your responsibility to ensure that this email and any attachments are free of viruses when you receive it. You may use and apply this email and the information contained in it for the intended purpose only and RMESI shall not be liable in any way in respect of use for any other purpose. In respect of all other matters, to the fullest extent permitted by applicable law, RMESI disclaims all responsibility and liability for the contents of this email (including any attachments). Please note that RMESI may intercept incoming and outgoing email communications.

RM Education Solutions India Pvt Ltd (CIN: U72200KL2003PTC015931) is a company registered in India with its registered office at B-5 Gayatri Building, Technopark Campus, Trivandrum, Kerala, 695 581. 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux