Search squid archive

Re: HTTPS bump doesn't work with websites that require SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello there, 

Thanks for your your interest. The versions we use are:

Squid Cache: Version 3.4.10
OpenSSL 1.0.2h  3 May 2016
----------
Configuration we use for https bumping:
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

On Sun, Jul 10, 2016 at 5:12 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:

Hey,

 

What version of squid is provided on pfsense and what version are you using?

 

Eliezer

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx

 

From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Yi?itcan U?UM
Sent: Sunday, July 10, 2016 3:49 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: HTTPS bump doesn't work with websites that require SNI

 

Hello there. We're using pfsense and squid-proxy to bump https connections between some of our machines and www. The setup seems to works fine for most of the https sites, but it doesn't work for the others.

 

One example to this sites is "docs.docker.com". Even though we can connect to "docker.com", we can't connect to "docs.docker.com".

 

The error we get is:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Upon further investigation we found out that this happens because some sites require SNI to supply correct SSL certificate.

You can test this out with:

-------------------------------

openssl s_client -connect docs.docker.com:443 -> ERROR

140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:

-------------------------------

openssl s_client -connect docs.docker.com:443 -servername docs.docker.com -> Works

--------------------------------

Squid seems to make https request without the SNI. How can we configure Squid to use SNI? Thanks.


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux