On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote: On 25/11/17 08:30, James Lay wrote:Topic says it...this setup has been working well for a long time, but now there are some sites that are failing the TLS handshake. Here's my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow SSL_ports http_access allow allowed_http_sites http_access deny all ssl_bump peek all acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice allowed_https_sites ssl_bump terminate allBecause you have "peek all" being performed the transaction MUST pass your regex patterns with both TLS SNI from the client *and* the server certificate SubjectName values. Either one not matching will perform that "terminate all" on the TLS handshake. Thanks Amos...do you have a suggestion for changing this to match one or the other instead of both? James sslproxy_cert_error allow all sslproxy_capath /etc/ssl/certs sslproxy_flags DONT_VERIFY_PEER #sslproxy_options ALLAlso, please remove these "*_error allow all" and DONT_VERIFY_PEER lines from your config. They are actively harmful.sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 http_port 3128 intercept https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pemNP: when cert= and key= are in the same file you do not need to specify key=.generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSEIt is also best to add "sslflags=NO_DEFAULT_CA" to these ports for Squid-3. That will save a lot of useless memory overheads.logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh...For example, the file http_url.txt contains: account\.elderscrollsonline\.com \.elderscrollsonline\.com elderscrollsonline\.com After doing some reading it looks like this is http2 traffic: https://wiki.squid-cache.org/Features/HTTP2.There is no sign of HTTP/2 in that PCAP trace. There is SPDY/3 and HTTP/1.1 being offered by the client. If that is from the client to Squid, then please check the matching Squid->server for what is going on there. If the problem remains please try Squid-4. It has more advanced TLS capabilities than Squid-3. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users