Search squid archive

Re: sslproxyflags DONT_VERIFY_PEER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Okay, it's not a name of the cert problem.

I turned on extra debug info to see what I get when I remove the DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is what I got in the cache.log. I only see a couple of lines about a certificate error. Sorry this is long but I didn't know what to include so I just included everything for that one access attempt.
2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1
2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1
2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec
2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen
2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.40.40.110:49732)  vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' NOT found
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[::] ([::]:49732)  vs [::]-[::]/[::]
2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443 remote=10.40.40.110:49732 FD 14 flags=33 method 3
2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets
2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:49732)  vs 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:49732)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:49732)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1
2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match
2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28
2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is  banned
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'tiles.services.mozilla.com'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:tiles.services.mozilla.com <>  .akamaihd.net
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'tiles.services.mozilla.com' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .akamaihd.net
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'tiles.services.mozilla.com'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:tiles.services.mozilla.com <>  .wellsfargo.com
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'tiles.services.mozilla.com' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .wellsfargo.com
2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[::] ([::]:49732)  vs [::]-[::]/[::]
2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c
2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c
2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules
2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80
2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error
2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1
2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[::] ([::]:49732)  vs [::]-[::]/[::]
2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:49732' found
2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1
2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1
2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match
2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs
2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match
2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68
2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68
2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong: local=52.34.245.108:443 remote=10.40.40.110:49732 flags=33
2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs
2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match
2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28
2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28
2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0 query ARP table
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0 query ARP on each interface (128 found)
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface lo
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth2
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth2
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0 found interface eth1
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0 looking up ARP address for 10.40.40.110 on eth1
2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got address 08:00:27:29:24:4a on eth1
2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec
2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec
2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets
2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:40595)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:40595' found
2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1
2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950198
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c
2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc
2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc
2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8 checking fast ACLs
2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950ae8 answer ALLOWED for match
2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8
2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638 query ARP table
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638 query ARP on each interface (128 found)
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface lo
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth2
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth2
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638 found interface eth1
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638 looking up ARP address for 10.40.40.110 on eth1
2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638 got address 08:00:27:29:24:4a on eth1
2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec
2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950dec
2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking localhostgreen
2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.40.40.110:35474)  vs 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' NOT found
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: localhostgreen = 0
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 1
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[::] ([::]:35474)  vs [::]-[::]/[::]
2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909) httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443 remote=10.40.40.110:35474 FD 18 flags=33 method 3
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28 checking slow rules
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access
2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking http_access#1
2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking SWE_subnets
2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (10.40.40.0:35474)  vs 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: SWE_subnets = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished: 0xa214d28 answer ALLOWED for match
2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa214d28
2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking slow rules
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rules)
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0 is  banned
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/3is not banned
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s1_connect
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s1_connect = 0
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/6is not banned
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_to_splice
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_allowed_hsts
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'www.yahoo.com'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:www.yahoo.com <>  .akamaihd.net
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'www.yahoo.com' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .akamaihd.net
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_allowed_hsts = 0
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_server_is_bank
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'www.yahoo.com'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:www.yahoo.com <>  .wellsfargo.com
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'www.yahoo.com' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .wellsfargo.com
2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_server_is_bank = 0
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_to_splice = 0
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/4is not banned
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking (ssl_bump rule)
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking tls_s2_client_hello
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: tls_s2_client_hello = 1
2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[::] ([::]:35474)  vs [::]-[::]/[::]
2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer ALLOWED for match
2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED
2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c
2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf95080c
2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8
2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8 checking fast rules
2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck: aclCheckFast: list: 0x9de0a80
2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error
2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'DENIED/0is not banned
2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking sslproxy_cert_error#1
2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all
2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[::] ([::]:35474)  vs [::]-[::]/[::]
2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.40.40.110:35474' found
2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error#1 = 1
2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: sslproxy_cert_error = 1
2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished: 0xa210ad8 answer DENIED for match
2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68 checking fast ACLs
2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950b68 answer ALLOWED for match
2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68
2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950b68
2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong: local=98.138.253.109:443 remote=10.40.40.110:35474 flags=33
2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28 checking fast ACLs
2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking cache_access_log stdio:/var/log/squid/access.log
2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking (cache_access_log stdio:/var/log/squid/access.log line)
2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: (cache_access_log stdio:/var/log/squid/access.log line) = 1
2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked: cache_access_log stdio:/var/log/squid/access.log = 1
2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished: 0xbf950c28 answer ALLOWED for match
2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28
2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xbf950c28
2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8
2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0xa210ad8

The web browser error says:
"Failed to establish a secure connection to (a yahoo.com IP address was here)"
and another message of "(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
and "Certificate issuer (CA) not known".

On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <stan.prescott@xxxxxxxxx> wrote:
Thanks for the info, Alex. That's very helpful about cleaning up my ACLs. Those ACLs are a collection of ACLs that others have suggested I use, but it would be nice to make them less confusing for me.

With my limited understanding of how sslbump works, the idea for squid to play MITM is that a self-signed cert like squidCA.der is imported to a browser's root CAs. I have left a copy of the self-signed cert named squidCA.pem in the squid's cert directory which only works if squid is told to not verify the peer. When following the instructions how to generate the self-signed cert with openssl, the .pem file must be converted to a .der file for the browser to accept it. It just dawned on me that, could this be related to the fact that the squid self-signed certs are not named the same?

On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 08/03/2016 08:45 AM, Stanford Prescott wrote:

> ssl_bump none localhostgreen
> ssl_bump peek tls_s1_connect all
> ssl_bump splice tls_s2_client_hello tls_to_splice
> ssl_bump stare tls_s2_client_hello all
> ssl_bump bump tls_s3_server_hello all

AFAICT, the above is too complex. You can simplify it with:

  ssl_bump splice localhostgreen
  ssl_bump peek tls_s1_connect
  ssl_bump splice tls_to_splice
  ssl_bump stare all
  ssl_bump bump all

and, after polishing your ACLs a little, possibly even with:

  ssl_bump splice transactions_to_splice
  ssl_bump peek tls_s1_connect
  ssl_bump stare all
  ssl_bump bump all

where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
and tls_to_splice)".


As for your original question, I recommend figuring out why Squid cannot
verify the peer. For example, your setup might be missing fresh
certificates for some well-known Root CAs. I do not know a good way to
figure out why peer verification does not work, but analyzing cache.log
with high-enough debugging level should be doable, especially if you can
reproduce the problem using a single transaction:

http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction


HTH,

Alex.



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux