Hi,
I've a problem in Ubuntu 18.04.2 with Squid 4.6 compiled with OpenSSL 1.1 about ssl_bump. The same configuration works in Squid 3.5 and OpenSSL 1.0
Here the relevant conf :
...http_port 3128 ssl-bump options=ALL:NO_SSLv3 connection-auth=off generate-host-certificates=off cert=/etc/squid/squidCA.pem# Not bypass server certificate validation errorssslproxy_cert_error deny all# This one return errors with debian on GCP (https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery)host_verify_strict offsslproxy_session_cache_size 0acl step1 at_step SslBump1acl step2 at_step SslBump2acl step3 at_step SslBump3ssl_bump peek step1 allssl_bump peek step2 all# API Googleacl api_google_urls url_regex ^(https?:\/\/)?.*\.googleapis\.com(:443)?($|\/)acl api_google_urls url_regex ^(https?:\/\/)?.*\.google\.com(:443)?($|\/)acl api_google_urls url_regex ^(https?:\/\/)?.*\.cloud\.google\.com(:443)?($|\/)acl api_google_urls url_regex ^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})acl api_google_ssl ssl::server_name_regex .*\.googleapis\.comacl api_google_ssl ssl::server_name_regex .*\.google\.comacl api_google_ssl ssl::server_name_regex .*\.cloud\.google\.comacl api_google_ips src 127.0.0.1/32http_access allow api_google_ips api_google_urlsssl_bump splice step3 api_google_ips api_google_sslhttp_access deny allssl_bump terminate step3 all...
To compile and install squid I use this script:
# set squid version
export SQUID_VER="4.6"
export SQUID_PKG="${SQUID_VER}-2"
sudo apt-get -y install libssl-dev devscripts build-essential fakeroot dpkg-dev
sudo apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev \
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev libldap2-dev \
libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl libecap3 libecap3-dev \
ed libltdl-dev cdbs debhelper dh-apparmor
# we will be working in a subfolder make it
mkdir -p build/squid
# decend into working directory
pushd build/squid
curl --tlsv1.1 -sSO http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_PKG}.dsc
curl --tlsv1.1 -sSO http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_VER}.orig.tar.gz
curl --tlsv1.1 -sSO http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_PKG}.debian.tar.xz
# unpack the source package
dpkg-source -x squid_${SQUID_PKG}.dsc
echo "DEB_CONFIGURE_EXTRA_FLAGS += --enable-ssl --with-openssl --enable-ssl-crtd" >> squid-${SQUID_VER}/debian/rules
# build the package
cd squid-${SQUID_VER} && dpkg-buildpackage -rfakeroot -b -J2 -uc -us
sudo apt-get install squid-langpack
sudo dpkg --install squid-common_${SQUID_PKG}_all.deb
sudo dpkg --install squid_${SQUID_PKG}_amd64.deb
sudo dpkg --install squidclient_${SQUID_PKG}_amd64.deb
cd /etc/squid
sudo openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -subj "/CN=nobody" -x509 -extensions v3_ca -keyout squidCA.pem -out squidCA.pem
chown proxy:proxy /var/spool/squid
chown proxy:proxy /var/log/squid
chown -R proxy:proxy /etc/squid
sudo apt-get -y remove --purge libssl-dev
sudo apt-get -y remove --purge devscripts build-essential fakeroot dpkg-dev
sudo apt-get -y remove --purge libcppunit-dev libsasl2-dev libxml2-dev libkrb5-dev \
libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev libldap2-dev \
libpam0g-dev libgnutls28-dev libssl-dev libecap3-dev \
ed libltdl-dev cdbs debhelper dh-apparmor
sudo apt-get -y autoremove
I'm upgrading to Squid4 with OpenSSL 1.1 because with Squid3 Ive some connections that get stuck (for example https://packages.cloud.google.com/apt/doc/apt-key.gpg) I think for unsupported ciphers.
But with Squid4 and OpenSSL1.1 I've this lines in cache log:
2019/04/04 08:49:15 kid1| ERROR: client https start failed to allocate handle: error:140AB043:SSL routines:SSL_CTX_use_certificate:passed a null parameter
2019/04/04 08:49:15 kid1| ERROR: could not create TLS server context for local=127.0.0.1:3128 remote=127.0.0.1:39203 FD 19 flags=1
and this in access log:
127.0.0.1 - - [04/Apr/2019:08:49:15 +0000] "CONNECT packages.cloud.google.com:443 HTTP/1.1" 200 0 "-" "curl/7.58.0" NONE_ABORTED:HIER_NONE packages.cloud.google.com
for the following connection:
root@instance-2:/etc/squid $ https_proxy="http://127.0.0.1:3128" curl -vvvv -sSO https://packages.cloud.google.com/apt/doc/apt-key.gpg* Trying 127.0.0.1...* TCP_NODELAY set* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)* allocate connect buffer!* Establish HTTP proxy tunnel to packages.cloud.google.com:443> CONNECT packages.cloud.google.com:443 HTTP/1.1> Host: packages.cloud.google.com:443> User-Agent: curl/7.58.0> Proxy-Connection: Keep-Alive>< HTTP/1.1 200 Connection established<* Proxy replied 200 to CONNECT request* CONNECT phase completed!* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:* CAfile: /etc/ssl/certs/ca-certificates.crtCApath: /etc/ssl/certs} [5 bytes data]* TLSv1.2 (OUT), TLS handshake, Client hello (1):} [223 bytes data]* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to packages.cloud.google.com:443* Closing connection 0curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to packages.cloud.google.com:443
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
