On 27/07/21 9:15 pm, Vieri wrote:
>
> I have not changed anything in the OS so it might be because of change in the remote web service.
> It might be that my openssl version is already too old (1.1.1g), and that the web site forces the use of an unsupported cypher?
I have also observed it on 2 instances of the squid-4.6.2, starting
25/26th July. The configuration was working fine for more than 9 months now.
OpenSSL versions are 1.0.2q and 1.1.1h.
OS is OpenWrt based custom firmware (hopbox) on x86_64.
If the proxy is explicitly set on the client, SSL-Bump with peek &
splice works fine. If the traffic is intercepted, the HTTPS connection
takes a long to time to establish and times out in the browser. HTTP is
fine with interception.
There is no error in the logs.
I suspected browser updates might have caused this, but it didn't work
on Chrome and Firefox both.
Interception with peek & splice is working fine on squid-4.13 with
OpenSSL 1.1.1i.
Configuration snippet for squid-4.6.2 with openssl 1.0.2q:
=========
http_port 3128
http_port 3127 intercept
https_port 3129 intercept tcpkeepalive=60,30,3 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
cert=/etc/squid/ssl_cert/MySSLCA.pem tls-dh=prime256v1:/etc/squid/ssl_
cert/dhparam.pem options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_children 10
sslcrtd_program /usr/lib/squid/security_file_certgen -s /tmp/squid/ssldb
-M 16MB
acl NoSSLIntercept ssl::server_name "/etc/squid/acls/nobump.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice !NoSSLIntercept
ssl_bump splice all
===========
Configuration snippets for squid-4.6.2 with openssl 1.1.1h:
===========
http_port 3128
http_port 3127 intercept
https_port 3129 intercept tcpkeepalive=60,30,3 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
cert=/etc/squid/ssl_cert/citykartSSLCA.pem
sslcrtd_children 15
sslcrtd_program /usr/lib/squid/security_file_certgen -s /tmp/squid/ssldb
-M 10MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
host_verify_strict off
client_dst_passthru on
===========
Configuration snippet for squid-4.13 with OpenSSL 1.1.1i:
==============
http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB tls-cert=/etc/squid/ssl_cert/MySSLCA.pem
tls-key=/etc/squid/ssl_cert/MySSLCA.pem
tls-dh=prime256v1:/etc/squid/ssl_cert/bump_dhparam.pem'
sslcrtd_children 10
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
acl DiscoverSNIHost at_step SslBump1
#acl NoSSLIntercept ssl::server_name_regex "/etc/squid/acls/nobump.txt"
ssl_bump peek DiscoverSNIHost
#ssl_bump bump !NoSSLIntercept
ssl_bump splice all
=====================
iptables rules at all the routers:
# iptables-save | grep HTTP
-A zone_lan_prerouting -p tcp -m tcp --dport 80 -m set ! --match-set
direct dst -m comment --comment "!fw3: HTTP Intercept" -j DNAT
--to-destination 10.0.0.1:3127
-A zone_lan_prerouting -p tcp -m tcp --dport 443 -m set ! --match-set
direct dst -m comment --comment "!fw3: HTTPS Intercept" -j DNAT
--to-destination 10.0.0.1:3129
# iptables -nvL -t nat | grep HTTP
DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 ! match-set direct dst /* !fw3: HTTP Intercept */
to:10.0.0.1:3127
DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443 ! match-set direct dst /* !fw3: HTTPS Intercept */
to:10.0.0.1:3129
I still suspect something has changed either on the browsers / windows
OS or the servers, which has increased the negotiation time and requests
time out.
Any further guidance to debug the issue would be greatly helpful.
Regards,
Nishant
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
