Re: after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Dieter Bloms <squid@xxxxxxxx> · Thu, 17 Sep 2015 09:18:49 +0200

Hello Amos,

thank you for your hints.

On Thu, Sep 17, Amos Jeffries wrote:

> > the relevant part ist:
> > 
> > --snip--
> > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
> > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
> 
> 
> Replace these...
> 
> > ssl_bump none nodecryptdomains
> > ssl_bump server-first all
> 
> ... with:
> 
>  acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains"
>  acl step1 at_step SslBump1
>  ssl_bump peek step1
>  ssl_bump splice nodecrypt
>  ssl_bump bump all
> 
> Maybe also remove the nodecryptdomains ACL. Depends on whether you use
> it anywhere else.

I've changed my config, but same results.
SSLBump works so far, only the site banking.postbank.de makes trouble.
My chrome browser says "ERR_CONNECTION_CLOSED" and in the squid log
looks like:

--snip--
1442473894.771     49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473894.832     49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473895.074     48 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473895.134     47 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
1442473895.193     45 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
--snip--

here the ssl relevant part of my squid.conf
--snip--
http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
ssl_bump peek step1
ssl_bump bump all
sslproxy_capath /etc/ssl/certs
sslproxy_options NO_SSLv2:NO_SSLv3:ALL
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
--snip--

so it would be nice, if anybody with enabled sslbump on squid3.5.8 can
do a GET Request to https://banking.postbank.de/ to see if that works.

-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users