On 11/12/2015 11:31 AM, Tom Mowbray wrote: > We're seeing some strange behavior where certain sites, especially those > hosted by Google, including youtube.com <http://youtube.com>, where the > HTTPS traffic is being "bumped" and users are getting certificate errors > with our self-signed certificate and CA appearing in the certificate > details. Can you tell what Squid is sending on some of those bumped connections? Could it be an error message? What does access.log say? > What is strange is that we have the squid.conf set to either "splice" or > "terminate" all HTTPS traffic. There is NO traffic that is supposed to > be bumped at all (because we are not able to load our CA cert on all > client machines). > > Here is the significant portion of our squid.conf: > > acl sslallow ssl::server_name "/path/to/file" > ssl_bump peek all > ssl_bump splice sslallow > ssl_bump terminate all > > Most of the sites in acl sslallow work as expected...but some sites come > back with a certificate error as described above, suggesting that they > were "bumped" using our mimicked certificate. This behavior also isn't > 100% reproducible...sometimes it works as expected, though it usually > does not. Do you tell Squid to splice on all SSL validation errors and when seeing non-SSL traffic on expecting-SSL connections? If yes, then this is most likely a Squid bug. Otherwise, perhaps Squid is trying to inform users of an error? Triage is needed to understand why Squid is bumping. There is also a possibly related bug 4321, but it should not affect steps 2 and 3 where you terminate connections: http://bugs.squid-cache.org/show_bug.cgi?id=4321 > Another note: Seems to happen mainly on mobile browsers and on Chrome > browser running on Google Chromebooks. > > Is there something I'm missing? Is there a way to ensure that NO sites > are being bumped at all? Yes, there are (or should be) three ways: 1. Do not use SslBump at all. 2. Use "ssl_bump splice all" rule and no other ssl_bump rule. 3. Do not use any "ssl_bump bump" and "ssl_bump stare" rules while allowing all SSL errors and non-SSL traffic. #1 is known to work. Others may or may not work, depending on your Squid version, yet-unknown Squid bugs, and other specifics. > (For our deployment, we'd rather terminate > than bump if splicing isn't possible). Your ssl_bump rules reflect your intent. However, when you use "ssl_bump peek all", Squid has to validate SSL clients and servers (to various degrees). Other Squid directives tell Squid what to do when that validation fails. The ones I remember are on_unsupported_protocol and sslproxy_cert_error. Do you configure those directives to ignore all errors (and, hence, let users deal with them, including abusing them for tunnelling anything through your Squid)? HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
