Hi Alex I've tested again. Squid (3.5.11) only terminates the connection (based on SHA1-Fingerprint), *if* the fingerprint is delimited with colons. If not, squid GET's the https-request as usual. I'll report a bug. With SHA1-FP (delimited): 41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32 in the config-file, Squid terminates the connection as expected: $ curl -x proxy:3128 -I -k -L https://www.yahoo.com HTTP/1.1 200 Connection established curl: (35) Unknown SSL protocol error in connection to www.yahoo.com:443 With SHA1-FP (not delimited): 413072F803CE961210E9A45D10DA14B0D2D48532 in the config-file, squid GET's the site: $ curl -x proxy:3128 -I -k -L https://www.yahoo.com HTTP/1.1 200 Connection established HTTP/1.1 200 OK Date: Thu, 10 Dec 2015 20:06:11 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Strict-Transport-Security: max-age=2592000 ... .... Kind regards, Tom On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 12/07/2015 02:05 PM, Tom Tom wrote: >> The configuration provided by Alex works for me (squid 3.5.11) > > Thank you for testing and helping expose problems. > > >> if: >> * the http_port-directive is configured with ssl-bump and a >> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem) > > ssl-bump is required to access SSL/TLS peeking code. Now way around that > today although future Squid versions may provide something like an > ssl-peek port option that tells Squid that no bumping, for any reason > (including error serving) is permitted on that port. > > Specifying root CA is required to serve certificate validation (and > other) errors, but we probably should be more flexible and allow no-CA > splice-or-terminate configurations as well. > > Related enhancement requests in bugzilla are welcomed, especially if > they are followed by quality patches. > > >> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after >> two characters with a colon >> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for >> ar***krebs.de) > > If Squid silently misinterprets colon-less fingerprints, it is a bug > that should be reported and fixed. Squid should either interpret them > correctly or exit with a configuration error. > > > Thank you, > > Alex. > > > >> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov >> <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >>> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote: >>>> * Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>: >>>>> Please note that if you do not want to bump anything, then the following >>>>> should also work (bugs notwithstanding): >>>>> >>>>> ssl_bump splice whitelist >>>>> ssl_bump peek all >>>>> ssl_bump terminate blacklist >>>>> ssl_bump splice all >>>> >>>> That doesn't seem to work for me (squid 3.5.2) >>> >>>> Yet I still can connect. What am I doing wrong? >>> >>> If you are indeed using v3.5.2, then that is a big red flag. >>> >>> If you are using the latest v3.5 release, then you should open a bug >>> report, preferably with an ALL,9 log depicting a single failing >>> transaction. AFAICT, the above is meant to work. If it does not, there >>> is either a Squid bug or misconfiguration [that I cannot detect by >>> reading email]. >>> >>> >>> Thank you, >>> >>> Alex. >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
