Also this issue is no more appearing if I peek step 1 alone and splice the remaining ones. acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump splice all So I guess the issue is with the PeerConnector module where SSL_connect method is being used to connect and parse the server certificate.
I had added this as a bug as well.
http://bugs.squid-cache.org/show_bug.cgi?id=4202
Regards, John
From: John Killimangalam Jacob
Sent: Monday, February 16, 2015 11:25 AM
To: 'squid-users@xxxxxxxxxxxxxxxxxxxxx'
Subject: Error when using peek/splice/terminate with Squid 3.5.1
Hi All,
I am trying to configure an intercept proxy with peek/splice/terminate features in Squid 3.5.1 on CentOS 7 - 64 bit. I wanted to peak at steps 1 and step 2 and to decide on terminate on step 3 based on the SNI and server certificate values. It is working only for https://www.google.com, but lot of other ssl sites (likes of https://www.yahoo.com etc) are not getting loaded logging an “ Error negotiating SSL on FD 36: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext “ in the cache.log (trying the same sites using openssl s_client command works). I was wondering if it has to do anything with my config or open ssl (version 1.0.1e) or anything else. The web sites are being accessed from a windows 7 workstation with IE 8 and Firefox 35.0.1 . Below is the squid.config section for peek and splice I am using.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
external_acl_type SSL_URL_Filter %SRC %ssl::>sni %ssl::<cert_subject </path/to/urlfilterscript>
acl URL_Allowed external SSL_URL_Filter
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump terminate step3 !URL_Allowed
ssl_bump splice step3 all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem
Thanks in Advance,
John
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users