On 10/12/2015 6:29 p.m., Alex Samad wrote: > Hi > > config > https_port 22.4.2.5:443 accel > cert=/etc/httpd/conf.d/office.abc.com.crt > key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com > options=NO_SSLv2,NO_SSLv3 > dhparams=/etc/squid/squid-office-dhparams.pem > cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA None of those ECDHE entries will work properlyy. Squid does not have the additional curve name support needed to configure them. > cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest > originserver login=PASS ssl sslflags=DONT_VERIFY_PEER > sslcert=/etc/httpd/conf.d/office.abc.com.crt > sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer > cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest > originserver login=PASS front-end-https=on ssl > sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt > sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer Note that these cache_peer cert details are the "client certificate" used to 2-way TLS authenticate Squid with the Office server. I doubt the same certificate used on the https_port will work as both server and client certificate. Perhapse that is why the verification has to be fully disabled. > acl exch_domain dstdomain office.abc.com > acl exch_path urlpath_regex -i /exch(ange|web) > acl exch_path urlpath_regex -i /public > acl exch_path urlpath_regex -i /owa > acl exch_path urlpath_regex -i /ecp > acl exch_path urlpath_regex -i /microsoft-server-activesync > acl exch_path urlpath_regex -i /rpc > acl exch_path urlpath_regex -i /rpcwithcert > acl exch_path urlpath_regex -i /exadmin > acl exch_path urlpath_regex -i /ews > acl exch_path urlpath_regex -i /oab > acl exch_path urlpath_regex -i /autodiscover > cache_peer_access exchangeServer allow exch_domain exch_path > cache_peer_access webServer deny exch_domain exch_path > never_direct allow exch_domain exch_path > cache_mem 32 MB > maximum_object_size_in_memory 128 KB > access_log stdio:/var/log/squid/office-access.log squid > cache_log /var/log/squid/office-cache.log > cache_store_log stdio:/var/log/squid/office-cache_store.log > pid_filename /var/run/squid-office.pid > visible_hostname office.abc.com > deny_info TCP_RESET all > http_access allow all > miss_access allow all > icp_port 0 > snmp_port 0 > > > > cache.log > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache... > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain > yieldbroker.com from /etc/resolv.conf > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver > 10.32.20.100 from /etc/resolv.conf > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver > 10.32.20.102 from /etc/resolv.conf > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log > stdio:/var/log/squid/office-access.log > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled; > rebuild/rewrite every 3600/3600 sec > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log > stdio:/var/log/squid/office-cache_store.log > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB, > estimated 2520 objects > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and icons. > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled. > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off. > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy > HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11 > flags=9 > Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 objects > > > cache log > Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF > BE6736C8CD1A74A54575AF9880395D04 ? ? ? ? ?/? > ?/? ? ? > Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF > 78C390A2D412F8E601035A2C1FD771C8 ? ? ? ? ?/? > ?/? ? ? > Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF > A7D8B3751858C54225D29408B56FE42D ? ? ? ? ?/? > ?/? ? ? > Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF > 35992070307CD15EE743F71344E1C1AE ? ? ? ? ?/? > ?/? ? ? > Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF > 17EFD3BCAF4265B7CF7803AD0289DD7E ? ? ? ? ?/? > ?/? ? ? > Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF > 2666EC9714425D57FDC4CD15965D350B ? ? ? ? ?/? > ?/? ? ? > > > > access.logs > Dec 10 16:17:09 2015.706 13 192.168.56.1 TCP_MISS/200 6578 POST > https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11 > text/xml > Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532 > RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? - > FIRSTUP_PARENT/10.32.69.11 application/rpc > Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493 > RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? - > FIRSTUP_PARENT/10.32.69.11 text/html > Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0 > RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? - > FIRSTUP_PARENT/10.32.69.11 - > Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200 > 48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? - > FIRSTUP_PARENT/10.32.69.11 application/rpc > Dec 10 16:20:07 2015.305 24688 192.168.56.1 TCP_MISS_ABORTED/000 0 > RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? - > FIRSTUP_PARENT/10.32.69.11 - > Dec 10 16:20:07 2015.306 24654 192.168.56.1 TCP_MISS_ABORTED/200 2004 > RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? - > FIRSTUP_PARENT/10.32.69.11 application/rpc > Can you enable "debug_options 11,2" and get a trace of the message headers going through for those requests? > > This is when I try and send an email with an attachment. An email with > no attached goes through no problem... > > > this config works with 3.1, not with 3.5 .. > > still on .11 as I can't find centos 6 compile of .12 Okay. It seem Eliezer is only getting to it in a few days. > > I think there is some issue with rpc sending or receiving .. > I've been doing some work in the SSL/TLS code recently and found that Squid is always sending "http/1.1" for the TLS NPN extension. I am a little suspicious about the particular methods that are failing for you are non-HTTP methods. Are you able to try running the latest Squid with a patch? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
