I have two squids, one does SSL bump (3.5latest CentOS 6) the other doesn't SSL bump (3.4latest CentOS 6) everything works,I have a site that uses SSL/TLS, and two different browsers (one in a VM with old windows),
when I use the squid without SSL bump, the site works with both browsers,but when I use the squid with SSL bump, with the old browser I get a "Gateway Proxy failure"
the log shows this:host - - [29/Apr/2020:19:04:11 +0200] "CONNECT ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info host - - [29/Apr/2020:19:04:11 +0200] "GET https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info
in compare to the log when using the other browser ...host - - [29/Apr/2020:19:05:53 +0200] "CONNECT ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info host - - [29/Apr/2020:19:05:53 +0200] "GET https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 "https://ssl.mathemainzel.info/"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT SNI:ssl.mathemainzel.info
is this caused by the browser on old OS itself? squid.conf (of squid with SSL bump) reply_header_access Public-Key-Pins deny all reply_header_access Strict-Transport-Security deny all reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" ssl_bump peek step1 ssl_bump splice nobumpsites ssl_bump stare step2 ssl_bump bump all sslproxy_cafile /etc/squid/ca-bundle.trust.crtsslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB sslcrtd_children 8http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem options=NO_SSLv2,NO_SSLv3
Thanks, Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
