On 11/03/2015 2:46 a.m., Roel van Meer wrote: > Hi list! > > I'm trying to get peek/splice working with intercepted https > connections. The final goal is to accept or reject connections based on > the SNI info that we get from the first peek. So first, I would like to > be able to do peek/splice on all requests, and then later I can use an > external acl to block some of them. > > I'm having trouble getting the first step to work. My peek/splice config > works when I use lynx as a browser, but not (well) with firefox or > chrome. The latter two sometimes return a result, but often don't. When > this happens I get diverse errors in the cache log like: > > Error negotiating SSL on FD 20: error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) > Error negotiating SSL on FD 41: error:14094085:SSL > routines:SSL3_READ_BYTES:ccs received early (1/-1/0) > Error negotiating SSL on FD 31: error:1407743E:SSL > routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0) > > The relevant portions of squid.conf: > > https_port 192.168.13.1:3130 intercept ssl-bump options=ALL > cert=/etc/ssl/certs/server.pem With "options=ALL" you have enabled all features in the OpenSSL library including features which can cause the popular modern browsers to view Squid as a dangerously insecure server. > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > ssl_bump peek step1 > ssl_bump peek step2 > ssl_bump splice all > Theres nothing in the above which uses SNI. All that does is cause Squid to expolicitly look at the TLS handshake that is going on. Then to splice the two connections together a if it weren't there. > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER Then you are explicily disabling the checks to ensure the connections Squid uses to send the clients private data to servers are secure. > > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. > Traffic is redirected from port 443 top 3130 with iptables. ... and with an older version of OpenSSL missing many of the last few years worth of TLS crypto features. IIRC the library releases are now up to 1.1.* or something. Its best to keep that kind of thing operating the latest versions. It may sound silly but, do all those browsers even support SNI on your OS with the crypto libraries they use? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users