Re: site opens only without ssl bump

[Majed Zouhairy <m_zouhairy@xxxxxxx>]

here is the log:

1667471160.808     77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - 
HIER_NONE/- -
1667471161.771   1280 192.168.2.5 TCP_TUNNEL/200 3810944 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667471165.954   5387 192.168.2.5 TCP_TUNNEL/200 5660 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667471165.954   5146 192.168.2.5 TCP_TUNNEL/200 7630 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667471165.954   6320 192.168.2.5 TCP_TUNNEL/200 6714 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667471165.956   5727 192.168.2.5 TCP_TUNNEL/200 17517 CONNECT 
cdn.nlpost.nl:443 - HIER_DIRECT/212.98.164.68 -
1667471165.956   6198 192.168.2.5 TCP_TUNNEL/200 1323841 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667471165.956   5615 192.168.2.5 TCP_TUNNEL/200 4962 CONNECT 
cdn.nlpost.nl:443 - HIER_DIRECT/212.98.164.68 -
1667484144.825      2 192.168.2.5 TCP_HIT/200 5394 GET 
http://config.avtunproxy.nl/v5/update.bin - HIER_NONE/- 
application/octet-stream
1667484144.874     33 192.168.2.5 TCP_MISS/200 1439 GET 
http://rand.avtunproxy.nl/v1/cms? - HIER_DIRECT/80.249.80.83 application/cms
1667484144.888      1 192.168.2.5 TCP_HIT/200 1847 GET 
http://dev.avast.nl/ca/crl/devca.crl - HIER_NONE/- application/x-pkcs7-crl
1667484144.896      8 192.168.2.5 NONE_NONE/200 0 CONNECT ncis.nl:443 - 
HIER_NONE/- -
1667484144.910      1 192.168.2.5 TCP_HIT/200 966 GET 
http://dev.avast.nl/ca/crl/rootca.crl - HIER_NONE/- application/x-pkcs7-crl
1667484144.940      1 192.168.2.5 TCP_HIT/200 894 GET 
http://dev.avast.nl/ca/crl/stend-gossuok-root-2019.crl - HIER_NONE/- 
application/x-pkcs7-crl
1667484144.968      0 192.168.2.5 TCP_HIT/200 1612 GET 
http://dev.avast.nl/ca/crl/stend-gossuok-sub-2019.crl - HIER_NONE/- 
application/x-pkcs7-crl
1667484145.007      6 192.168.2.5 TCP_REFRESH_MODIFIED/301 865 GET 
http://ncis.nl/wp-content/uploads/certificates/pki/kuc.crl - 
HIER_DIRECT/185.227.96.82 text/html
1667484145.058     17 192.168.2.5 NONE_NONE/200 0 CONNECT ncis.nl:443 - 
HIER_NONE/- -
1667484145.093      2 192.168.2.5 TCP_HIT/200 2128 GET 
http://dev.avast.nl/ca/cert/rootca.cer - HIER_NONE/- application/pkix-cert
1667484145.102      8 192.168.2.5 TCP_REFRESH_MODIFIED/301 865 GET 
http://ncis.nl/wp-content/uploads/certificates/pki/ruc.crl - 
HIER_DIRECT/185.227.96.82 text/html
1667484145.104      0 192.168.2.5 TCP_HIT/200 1366 GET 
http://dev.avast.nl/ca/cert/stend-gossuok-root-2019.cer - HIER_NONE/- 
application/pkix-cert
1667484145.134     18 192.168.2.5 TCP_REFRESH_MODIFIED/301 533 GET 
http://cdn.nlpost.nl/storage/file-manager/sertifikaty/kuc_62BNcDsS.cer - 
HIER_DIRECT/212.98.164.68 text/html
1667484145.175     16 192.168.2.5 NONE_NONE/200 0 CONNECT 
cdn.nlpost.nl:443 - HIER_NONE/- -
1667484145.464      9 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - 
HIER_NONE/- -
1667484146.685   1220 192.168.2.5 TCP_TUNNEL/500 3813629 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667484146.701      9 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - 
HIER_NONE/- -
1667484172.449      9 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484172.451      4 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484173.515      7 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484173.527      8 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484175.822    318 192.168.2.5 NONE_NONE/200 0 CONNECT 
autoupdate.geo.opera.com:443 - HIER_DIRECT/82.145.216.19 -
1667484178.545      8 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484178.570      5 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484178.571      5 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484205.078  60019 192.168.2.5 TCP_TUNNEL/200 5091 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667484205.525  60629 192.168.2.5 TCP_TUNNEL/200 1327955 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667484205.532  60357 192.168.2.5 TCP_TUNNEL/200 17517 CONNECT 
cdn.nlpost.nl:443 - HIER_DIRECT/212.98.164.68 -
1667484206.373      1 192.168.2.5 TCP_HIT/200 1203 GET 
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl - HIER_NONE/- 
application/pkix-crl
1667484206.429     31 192.168.2.5 TCP_MISS/304 430 GET 
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? 
- HIER_DIRECT/93.184.221.240 -
1667484206.474     25 192.168.2.5 TCP_MISS/304 430 GET 
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? 
- HIER_DIRECT/93.184.221.240 -
1667484206.752  60050 192.168.2.5 TCP_TUNNEL/200 7630 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -


i added the following line to squid:

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a 
%mt %err_code/%err_detail

with either

ssl_bump peek all
ssl_bump splice all

or

ssl_bump peek tls_s1_connect
ssl_bump splice all

it still does not work.


On 11/3/22 16:05, Alex Rousskov wrote:
> On 11/3/22 05:43, Majed Zouhairy wrote:
>
> > i have 2 proxies, one with ssl bump and one without, there is a 
> > internal site that opens only on the no ssl bump proxy.
> >
> > on the ssl bump proxy it displays:
>
>
> What does Squid say in access.log for this problematic request? Please 
> configure Squid to log %err_code/%err_detail before answering this 
> question. For example:
>
> logformat xsquid ...your regular %codes... %err_code/%err_detail
> access_log ... xsquid
>
>
>
> Does the site works if you temporary replace your ssl_bump rules with:
>
> ssl_bump peek all
> ssl_bump splice all
>
>
> Does the site works if you temporary replace your ssl_bump rules with:
>
> ssl_bump peek tls_s1_connect
> ssl_bump splice all
>
>
> Alex.
>
>
>
>
> > Не удается получить доступ к сайтуВеб-страница по адресу (i was unable 
> > to gain access to website:) 
> > https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)
> > ERR_TUNNEL_CONNECTION_FAILED
> >
> > the site needs special configurations to run:
> > it needs a local proxy to run, avtunproxy.nl
> > in the internet explorer settings:
> > the second box in the proxy settings needs to be checked called the 
> > "use the scenario for automatic configuration"
> > in it, the proxy address is plugged
> > http://127.0.0.1:10224/proxy.pac
> >
> > my bump settings are as follows:
> >
> >
> > acl     tls_s1_connect        at_step SslBump1
> > acl     tls_s2_client_hello     at_step SslBump2
> > acl     tls_s3_server_hello     at_step SslBump3
> >
> > # define acls for sites that must not be actively bumped
> >
> > acl     tls_allowed_hsts        ssl::server_name             
> > .akamaihd.net
> > acl     tls_allowed_hsts        ssl::server_name             
> > .proxy.ckko.nl
> > acl     tls_server_is_bank         ssl::server_name 
> > "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
> > acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank
> >
> > # TLS/SSL bumping steps
> >
> > ssl_bump         peek                tls_s1_connect         # peek at 
> > TLS/SSL connect data
> > ssl_bump         splice                 tls_to_splice        # splice 
> > some: no active bump
> > ssl_bump         stare                 all                    # 
> > stare(peek) at server
> >                                                          # properties 
> > of the webserver
> > ssl_bump         bump
> >
> > contents of the 
> > /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
> >
> > .ckko.nl
> > .ias.ckko.nl
> > .test-auth.ias.ckko.nl
> > .config.avtunproxy.nl
> > .rand.avtunproxy.nl
> > .avast.nl
> > .dev.avast.nl
> > .ncis.nl
> > .cdn.nlpost.nl
> >
> > those are all the sites that are logged in on the non ssl bump proxy 
> > when ias.ckko.nl is accessed
> >
> > despite all this configuration, the site does not open. in ufdbguard 
> > every site from the user is a pass.
> >
> > in avtunproxy log :
> >
> > 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
> > https://ckko.nl/upload/certificates/8.crl
> > 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
> > [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> > 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
> > [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
> > 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
> > [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
> > read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing 
> > connection was forcibly closed by the remote host.
> > 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
> > [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
> > 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
> > [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> > 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
> > [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
> > 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
> > [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> > 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
> > [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
> > 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
> > [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> > 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
> > [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
> > 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
> > [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
> > read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing 
> > connection was forcibly closed by the remote host.
> > 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] 
> > [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
> > 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] 
> > [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> > 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] 
> > [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
> > test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
> > 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] 
> > [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
> > 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] 
> > [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
> > 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] 
> > [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
> > 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] 
> > [addr=127.0.0.1:10544] GET /api/v2/log
> >
> >
> > what is the solution?
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users