Search squid archive

peek/splice working with lynx but not with firefox or chrome

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi list!

I'm trying to get peek/splice working with intercepted https connections. The final goal is to accept or reject connections based on the SNI info that we get from the first peek. So first, I would like to be able to do peek/splice on all requests, and then later I can use an external acl to block some of them.

I'm having trouble getting the first step to work. My peek/splice config works when I use lynx as a browser, but not (well) with firefox or chrome. The latter two sometimes return a result, but often don't. When this happens I get diverse errors in the cache log like:

 Error negotiating SSL on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
 Error negotiating SSL on FD 41: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)
 Error negotiating SSL on FD 31: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)

The relevant portions of squid.conf:

 https_port 192.168.13.1:3130 intercept ssl-bump options=ALL cert=/etc/ssl/certs/server.pem

 acl step1 at_step SslBump1
 acl step2 at_step SslBump2
 acl step3 at_step SslBump3

 ssl_bump peek step1
 ssl_bump peek step2
 ssl_bump splice all

 sslproxy_cert_error allow all
 sslproxy_flags DONT_VERIFY_PEER

I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. Traffic is redirected from port 443 top 3130 with iptables.

Any help would be really appreciated.

Thanks a lot,

Roel
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux