So is a bug for 500 or a bad configuration? I have also tried this setup and seams to "fix" the tcp_tunnel/500 # Squid 5.x branch # SSL used for port ID 1, :3128 on # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options Proxy version:5.7 [146] sslcrtd_program /lib/squid3/security_file_certgen -s /media/squidtmpfs/ssl/ssl_db -M 64MB sslcrtd_children 32 startup=5 idle=1 queue-size=64 acl AnnotateSSLGBW2 annotate_transaction whitelistssl=yes #The AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the application knows what certificate to expect when accessing AppStore. #When you enable SSL Bump of HTTPS connections Squid replaces the default certificate with a ‘mimicked’ one; #the application detects that and refuses to function. # acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert ssl::server_name .bnpparisbas acl SSLInternalNets dst 10.0.0.0/8 acl SSLInternalNets dst 172.16.0.0/12 acl SSLInternalNets dst 192.168.0.0/16 acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 include /etc/squid3/ssl_whitelist.conf acl NotPeek any-of Group26 ssl_bump peek !NotPeek acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf" ssl_bump splice GlobalWhitelistDSTNet AnnotateSSLGBW2 ssl_bump splice ByPassRBL AnnotateSSLGBW2 ssl_bump splice SSLInternalNets AnnotateSSLGBW2 ssl_bump splice FakeCert AnnotateSSLGBW2 # Rules (spliced) added by admins.... # 5 rules... # -------------- Personal rules ----------------- # id:5 # decrypt_cnn order:0 acl AnnotateSSLW5 annotate_transaction bumprule=5 ssl_bump bump Group26 AnnotateSSLW5 ssl_bump splice all tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow all on_unsupported_protocol tunnel all Basically the changes that I made is on peek step changing from ssl_bump peek ssl_step1 To acl NotPeek any-of Group26 ssl_bump peek !NotPeek This is a good idea? -----Mensagem original----- De: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> Em Nome De Amos Jeffries Enviada: 12 de janeiro de 2023 21:22 Para: squid-users@xxxxxxxxxxxxxxxxxxxxx Assunto: Re: SSLBUMP for specific domains On 13/01/2023 10:04 am, andre.bolinhas wrote: > Forgot to attach the config file > > root@proxy01:~# cat /etc/squid3/ssl.conf # Squid 5.x branch # SSL used > for port ID 1, :3128 on # Patch 2020 - 08 - 03 SquidMikrotikEnabled = > 0 # SSL Proxy options Proxy version:5.7 [146] sslcrtd_program > /lib/squid3/security_file_certgen -s /media/squidtmpfs/ssl/ssl_db -M > 64MB sslcrtd_children 32 startup=5 idle=1 queue-size=64 acl > AnnotateSSLGBW2 annotate_transaction whitelistssl=yes #The AppStore > application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, > #it means the application knows what certificate to expect when accessing AppStore. > #When you enable SSL Bump of HTTPS connections Squid replaces the > default certificate with a ‘mimicked’ one; #the application detects that and refuses to function. > # > acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name > .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert > ssl::server_name .dropbox.com acl FakeCert ssl::server_name > .bnpparisbas acl SSLInternalNets dst 10.0.0.0/8 acl SSLInternalNets > dst 172.16.0.0/12 acl SSLInternalNets dst 192.168.0.0/16 acl ssl_step1 > at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step > SslBump3 include /etc/squid3/ssl_whitelist.conf ssl_bump peek > ssl_step1 acl GlobalWhitelistDSTNet dst > "/etc/squid3/acls_whitelist.dst.conf" > ssl_bump splice GlobalWhitelistDSTNet AnnotateSSLGBW2 ssl_bump splice > ByPassRBL AnnotateSSLGBW2 ssl_bump splice SSLInternalNets > AnnotateSSLGBW2 ssl_bump splice FakeCert AnnotateSSLGBW2 # > IMPRIM_RULE:5 ssl_bump splice ByPassRBL AnnotateSSLGBW2 ssl_bump > splice GlobalWhitelistDSTNet AnnotateSSLGBW2 FYI, Those two lines are duplicates of the first ssl_bump rules. They do nothing here except waste CPU cycles. > # Rules (spliced) added by admins.... > # 5 rules... > # -------------- Personal rules ----------------- > > # id:5 > # decrypt_cnn order:0 > acl AnnotateSSLW5 annotate_transaction bumprule=5 > ssl_bump bump Group26 AnnotateSSLW5 > ssl_bump splice all > > tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER > sslproxy_cert_error allow all > on_unsupported_protocol tunnel all > > -----Mensagem original----- > De: squid-users Em Nome De andre.bolinhas > Enviada: 12 de janeiro de 2023 21:03 > Assunto: Re: SSLBUMP for specific domains > > Hi Amos > Thansk for your quick reply, I have done it as example but now, even the internet surf is ok for all website I get to many TCP_TUNNEL/500 on access.log for all websites that we are not decrypting > > 1673531433.924 31315 192.168.60.30 TCP_TUNNEL/500 4096 CONNECT sapo.pt:443 - HIER_DIRECT/213.13.146.142:443 - mac="d6:8b:66:2a:9b:92" accessrule:%20ntlm_white_dstdomain%0D%0Awebfilter:%20pass%0D%0Acategory:%203%0D%0Acategory-name:%20Society%0D%0Aclog:%20cinfo:3-Society;%0D%0A exterr="-|- splice" > 1673531433.933 31324 192.168.60.30 TCP_TUNNEL/500 4695 CONNECT sapo.pt:443 - HIER_DIRECT/213.13.146.142:443 - mac="d6:8b:66:2a:9b:92" accessrule:%20ntlm_white_dstdomain%0D%0Awebfilter:%20pass%0D%0Acategory:%203%0D%0Acategory-name:%20Society%0D%0Aclog:%20cinfo:3-Society;%0D%0A exterr="-|- splice" > 1673531437.798 35024 192.168.60.30 TCP_TUNNEL/500 76572 CONNECT www.sapo.pt:443 - HIER_DIRECT/213.13.146.142:443 - mac="d6:8b:66:2a:9b:92" accessrule:%20ntlm_white_dstdomain%0D%0Awebfilter:%20pass%0D%0Acategory:%203%0D%0Acategory-name:%20Society%0D%0Aclog:%20cinfo:3-Society;%0D%0A exterr="-|- splice" By the differences on size and the existence of a remote server IP address in the log entry, I guess this is <https://bugs.squid-cache.org/show_bug.cgi?id=5252>. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
