|
Hi,
I’m new to this group. I just setup a squid ver 4.5 on my ubuntu machine. I configured this proxy to receive
https packets from another device on the same LAN, and modified the iptables to redirect the port 443 packets
to the squid proxy port 3130.
I can see the client https packet has been received and the proxy is ready to do the ‘bump’, the fd to the client
connection is 13:
**
2019/12/07 20:48:59.586 kid1| 85,4|
client_side_request.cc(1510) processRequest: CONNECT x.y.43.31:4432019/12/07 20:48:59.586 kid1| 85,5| client_side_request.cc(1597) sslBumpStart: Confirming peek-bumped CONNECT tunnel on FD local=x.y..31:443 remote=192.168.1.25:39273 FD 13 flags=33 **
From the debug I can also see the proxy connects towards the remote
server, and proxy has negotiated fine with the server. the proxy receives 3 certificates from the server,
and verification was fine to the server. But when the proxy trying to proceed with client negotiation, I got this error:
***
2019/12/07 20:48:59.760 kid1| 33,5|
client_side.cc(2859) sslCrtdHandleReply: Certificate for x.y.43.31 was successfully recieved from ssl_crtd
2019/12/07 20:48:59.760 kid1| 33,5| client_side.cc(3335) doPeekAndSpliceStep: PeekAndSplice mode, proceed with client negotiation. Currrent state:SSLv2/v3 read client hello A 2019/12/07 20:48:59.760 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 13, type=2, handler=1, client_data=0x15beef8, timeout=0 2019/12/07 20:48:59.760 kid1| 84,5| helper.cc(1247) GetFirstAvailable: GetFirstAvailable: Running servers 5 2019/12/07 20:48:59.760 kid1| 5,4| AsyncCall.cc(26) AsyncCall: The AsyncCall helperHandleRead constructed, this=0x1a37c50 [call827] 2019/12/07 20:48:59.760 kid1| 5,5| Read.cc(57) comm_read_base: comm_read, queueing read for local=[::] remote=[::] FD 10 flags=1; asynCall 0x1a37c50*1 2019/12/07 20:48:59.760 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 10, type=1, handler=1, client_data=0x155cce8, timeout=0 2019/12/07 20:48:59.760 kid1| 5,4| AsyncCallQueue.cc(57) fireNext: leaving helperHandleRead(local=[::] remote=[::] FD 10 flags=1, data="" size=3384, buf=0x157fbd0) 2019/12/07 20:48:59.760 kid1| 83,5| bio.cc(612) squid_bio_ctrl: 0x1a5e140 6(0, 0x1a76c00) 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc(347) get_session_cb: Request to search for SSL_SESSION of len: 321019023443:419801955 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc(156) openForReading: trying to open slot for key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache] 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc(177) openForReadingAt: trying to open slot at 18 for reading in map [tls_session_cache] 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc(169) openForReading: failed to open slot for key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache] 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc(362) get_session_cb: Failed to retrieve SSL_SESSION from cache ***
Here is my squid.conf:
#
acl localnet src 192.168.1.0/24 acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 ssl_bump stare step2 ssl_bump bump all acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/usr/local/ squid/etc/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB coredump_dir /usr/local/squid/var/cache/squid cache_dir ufs /usr/local/squid/var/cache/squid 1000 16 256 # 1GB as Cache ##
I’m wondering if this problem is a bug, my proxy config issue, or the client does not send the correct TLS parameters.
thanks for your help in advance.
Cheers,
- George
|
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
