|
Hi Folks, I am using Squid as a HTTPS interception proxy. When I try to access https://www.pcmag.com , (which is supposed to be bumped in my environment ), I get
“unable to forward request at this time” even though the website is perfectly accessible outside of the proxy. A packet capture suggests that after Client Hello -> ServerHello -> ServerCertificate,Server Key Exchange, ServerHelloDone, the remote server just sends a FIN,ACK packet, killing off the TCP connection. Nothing
else looks out of the ordinary. ( Without squid, firefox successfully opens the site and the negotiation is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS1.2) The only weird thing that stands out about that website is that the list of SubjectAlternateNames is huge. Could this be a possible bug with Squid ? My TLS options in Squid.conf : tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt \ options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \ cipher=HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EXPORT:!DES:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA https_port : https_port 23129 intercept ssl-bump \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB \ cert=/etc/squid/InternetCA/InternetCA.pem \ key=/etc/squid/InternetCA/InternetCA.key \ tls-cafile=/etc/squid/InternetCA/InternetCA.chain.pem \ capath=/etc/pki/tls/certs/certs.d \ options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \ tls-dh=prime256v1:/etc/squid/dhparam.pem Please advise. Regards, Sarfaraz |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
