Re: Squid and SSL Bump

[Yoinier Hernandez Nieves <yoinier.hn@xxxxxxxxx>]

I answer interline.

El 9/01/2018, a las 4:27 p.m., Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx> escribió:

On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:

I try configure squid 3.5 on CentOS 7 with sslBump.

But I have some problems, the first:

Some HTTPs sites can access, because squid say what I am are not
authenticated. And other sites, yes I can access.

Please give us information:

1. An example of sites can you access.

not https

2. An example of sites can you not access.

https://www.ssllabs.com/ssltest/viewMyClient.html

https://outlook.co.il/

https://www.facebook.com

3. For problems, show us error messages - quote us what the remote sites tell
you.

Se encontró el siguiente error al intentar recuperar la dirección URL: https://outlook.co.il/

Acceso Denegado a la Caché

Lo lamento, tu no estás autorizado a solicitar https://outlook.co.il/ de este caché hasta que te hayas autenticado.

Please contact the cache administrator if you have difficulties authenticating yourself.

4. Please rephrase "squid say what I am are not authenticated" - this is not
clear - what do you mean?

I am authenticated.

To what?  Squid, or the remote site?

Squid, see message in Spanish for point 3.

Other error is that

https://www.kiosco.bandec.cu/kiosco

Error negotiating SSL on FD 16: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

The following error was encountered while trying to retrieve the URL: https://www.kiosco.bandec.cu/*

Failed to establish a secure connection to 190.6.64.132

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /CN=CX6.bandec.cu

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

How do you know you are authenticated - what confirmation do you have?

Fragment of my squid.conf.

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump bump all
authenticate_ip_ttl 60 seconds

That looks a bit strange (and a bit incomplete) to me, but since I'm no expert
on SSL interception, I'll let someone else step in here.

If you can provide more information in the meantime (eg: enough to help
someone else replicate your problem) that would be good.

I use too dansguardians before the squid proxy.

See the logs for one petition

1515534858.355   3720 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 ynieves HIER_DIRECT/64.41.200.100 -

1515534858.375      0 bbb.bbb.bbb.bbb TCP_DENIED/403 4457 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html

1515534858.407      0 bbb.bbb.bbb.bbb TAG_NONE/503 4952 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html

aaa.aaa.aaa.aaa is my pc.

bbb.bbb.bbb.bbb is the dansguardians

Antony.

--
Wanted: telepath.   You know where to apply.

                                                  Please reply to the list;
                                                        please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users