On 27/06/19 11:39 am, Jared Fox wrote: > Hi Amos > > So i have tried the following based on your suggestions, but it is > still failing and have errors below: > > 1. Switched to a wildcard whitelist instead of single domain > 2. Updated the logformat to provide more information, see below: > 3. Add in `--client-requested`, but this made no difference. > 3a. Add to single ACL, acl domainIsWhitelisted ssl::server_name > --client-requested cloudtrace.googleapis.com > 3b. Commented out single record, switched to wildcard > 3c. Add to wildcard > > Error messages and Logs: > > Access Log: 26/Jun/2019:23:18:38 96 REDACTED 216.58.200.106 > NONE/200 0 CONNECT 216.58.200.106:443 HTTP/1.1 SSL: > cloudtrace.googleapis.com peek Client(Subject/Tx/Neg/Sup/Cip): - > TLS/1.0 - TLS/1.2 - Server(Subject/Rx/Neg/Sup/Cip): - TLS/1.2 - > TLS/1.2 - > > Cache Log: 2019/06/26 23:18:38 kid1| ERROR: negotiating TLS on FD > 11: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher > returned (1/-1/0) > This means the OpenSSL library being used by Squid does not contain any support for the cipher(s) the server chose to use for this transaction. They only way I am aware of to avoid it is to upgrade the OpenSSL library Squid is built against. > Can you please explain what you mean? What should this changed to so > that it does work. > >> Please be aware that in your config the ssl::server_name ACL is *not* matching the SNI in your config. >> - Your ssl_bump rules say "peek all" - so peek happens on the two Hello >> messages. When the serverHello has been peek'd the real server name is >> available from the servers own certificate. > To quote the ssl::server_name documentation: " # The ACL computes server name(s) using such information sources as # CONNECT request URI, TLS client SNI, and TLS server certificate # subject (CN and SubjectAltName). The computed server name(s) usually # change with each SslBump step, as more info becomes available: # * SNI is used as the server name instead of the request URI, # * subject name(s) from the server certificate (CN and # SubjectAltName) are used as the server names instead of SNI. " That last bullet point is what is/was happening with your original proxy config. The "--client-requested" flag overrides that and causes the SNI to be used in the match even when server cert is known. > Updated Squid.conf. > > # =========================== > # Squid 4.7 Config - Work in Progress > # =========================== > > acl localnet src 10.0.0.0/8 # Kubernetes VPC CIDR range > acl SSL_ports port 443 # HTTPS > acl Safe_ports port 80 # HTTP > acl Safe_ports port 443 # HTTPS > acl CONNECT method CONNECT # Traffic restriction > acl step1 at_step SslBump1 # Needed by ssl-bump > > # ------------------------------- > # Whitelist the following Domains > # ------------------------------- > # FQDN - Try to use FQDN > acl domainIsWhitelisted ssl::server_name accounts.google.com > > # ---------------------------------------------- > # Wildcard > acl domainIsWhitelisted ssl::server_name --client-requested .googleapis.com > acl domainIsWhitelisted ssl::server_name --client-requested > .googleapis.l.google.com > # ------------------------------- > > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Passively Intercepted HTTPS Traffic > https_port 9091 cert=/etc/squid/example.com.cert > key=/etc/squid/example.com.private ssl-bump intercept > acl step1 at_step SslBump1 > ssl_bump peek all > ssl_bump splice domainIsWhitelisted > ssl_bump terminate all > > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid > > # Logging > logformat custom1 %tg %6tr %>a %<A %Ss/%03>Hs %<st %rm %ru HTTP/%rv > SSL: %ssl::>sni %ssl::bump_mode Client(Subject/Tx/Neg/Sup/Cip): > %ssl::>cert_subject %ssl::>received_hello_version > %ssl::>negotiated_version %ssl::>received_supported_version > %ssl::>negotiated_cipher Server(Subject/Rx/Neg/Sup/Cip): > %ssl::<cert_subject %ssl::<received_hello_version > %ssl::<negotiated_version %ssl::<received_supported_version > %ssl::<negotiated_cipher > access_log daemon:/var/log/squid/access_custom1.log custom1 > > # Listen on port 3128 for HTTP Connet method - unused and firewalled off. > http_port 3128 NP: this is not about CONNECT method. It is about serving up error pages, FTP listings, and all the icons/scripts/stylesheets etc embedded in those. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
