Hi,
I am also having similar environment with squid (version 3.5.2 -20150218-r13758) and openssl 1.0.1k, but for me only small number of https sites are working with peek and splice. For eg:- , I can access https://www.google.com but not https://ssllabs.com and lot of other https domains, giving "Error
negotiating SSL on FD 15: error:140920E3:SSL
routines:SSL3_GET_SERVER_HELLO:parse tlsext (1/-1/0) " in the cache.log file.
Also I could see a bunch of other error messages in the cache.log files relating to openssl (like "Error negotiating SSL on FD 21: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)" , "Error verifying certificates " etc) when tried to access sites like https://www.facebook.com, https://www.yahoo.com etc
Squid is running on a CentOS 7 x64 box and Workstation is Win7 with Firefox and Chrome. I tried configuring openssl with disabling certain options with no-nextprotoneg and no-ec as well as with recent openssl version1.0.2 , but without any success.
Below is my squid config file.
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
ssl_bump peek all
ssl_bump splice all
# Squid normally listens to port 3128
http_port <WAN Interface IP>:3128
http_port <WAN Interface IP>:3129 intercept
https_port <WAN Interface IP>:3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem
Does this has to do anything specific to my environment or the config options? Any help on this is highly appreciated.
Thanks in advance,
John
On Tue, Mar 10, 2015 at 10:42 PM, Roel van Meer <roel@xxxxxxxx> wrote:
Roel van Meer writes:
>> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.
>> > Traffic is redirected from port 443 top 3130 with iptables.
>>
>> ... and with an older version of OpenSSL missing many of the last few
>> years worth of TLS crypto features. IIRC the library releases are now up
>> to 1.1.* or something. Its best to keep that kind of thing operating the
>> latest versions.
>
> I know it missing the latest features, but security patches are
> backported. And I know it is old, but it's what I have to work with
> now.Do you think it might be the cause of the problem I'm having with
> peek/splice, or was it a general recommendation?
Its a potential source of problems. Chrome is very much on the front
line of the arms race attempting to stop things like SSL-Bump working.
Firefox implement their own crypto library which tracks the latest TLS
features at a similar speed of development.
OpenSSL will be perpetually behind both of them, but at least the latest
one(s) have better chances not to be advertising features they reject in
"considered harmful" grounds.
I'll have a go then at trying with a newer openssl and the patches from thethread you mentioned.
With Squid 3.5.2 built with openssl 1.0.1k I can splice https connections with no trouble. Tested with Lync, Chrome, Firefox, and IE.
So you were right. :) Thanks a lot for pointing me in the right direction!
Cheers,
Roel
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
