Search squid archive

Re: Error when using peek/splice/terminate with Squid 3.5.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Also this issue is no more appearing if I peek step 1 alone and splice the remaining ones.

acl step1 at_step  SslBump1
acl step2 at_step  SslBump2
acl step3 at_step  SslBump3


ssl_bump peek step1 all
ssl_bump splice all

So I guess the issue is with the PeerConnector module where SSL_connect method is being used to connect and parse the server certificate.

I had added this as a bug as well.
http://bugs.squid-cache.org/show_bug.cgi?id=4202
Regards,
John

 

 

From: John Killimangalam Jacob
Sent: Monday, February 16, 2015 11:25 AM
To: 'squid-users@xxxxxxxxxxxxxxxxxxxxx'
Subject: Error when using peek/splice/terminate with Squid 3.5.1

 

Hi All,

 

I am trying to configure an intercept proxy with peek/splice/terminate features in Squid 3.5.1 on CentOS 7 - 64 bit. I wanted to peak at steps 1 and step 2 and to decide on terminate on step 3 based on the SNI and server certificate values. It is working only for https://www.google.com, but lot of other ssl sites (likes of https://www.yahoo.com etc) are not getting loaded logging an “ Error negotiating SSL on FD 36: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext   in the cache.log (trying the same sites using openssl s_client command works). I was wondering if it has to do anything with my config or open ssl (version 1.0.1e) or anything else. The web sites are being accessed from a windows 7 workstation with IE 8 and Firefox 35.0.1 . Below is the squid.config section for peek and splice I am using.

 

acl step1 at_step  SslBump1

acl step2 at_step  SslBump2

acl step3 at_step  SslBump3

 

external_acl_type SSL_URL_Filter %SRC %ssl::>sni %ssl::<cert_subject </path/to/urlfilterscript>

acl URL_Allowed external SSL_URL_Filter

 

ssl_bump peek step1 all

ssl_bump peek step2 all 

ssl_bump terminate step3 !URL_Allowed

ssl_bump splice step3 all

 

# Squid normally listens to port 3128

http_port 3128

http_port 3129 intercept

https_port 3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem

 

Thanks in Advance,

John

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux