Dear all, I recently compiled squid-3.4.9 with ssl-bump support and, although it is working for the most part, I'm having some issues accessing some websites.
The behavior is REALLY weird so I'm going to try and describe it the best I can: - If i access https://www.google.com/ in Chrome, I could see that it was processing my certificate MOST of the times... *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg - some other times, it seemed to bypass my proxy altogether and I finally figured out it was because Chrome will try to access QUIC enabled websites using that protocol, so it would bypass my firewall redirect rules! I believe I now have solved this by blocking FORWARDING traffic on port 443 udp... - the weird thing is that, if I then try and access https://gmail.com, I get a certificate error: *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1 - ...though, sometimes, I can access https://mail.gmail.com/ just fine (without any certificate errors), but stop being able to as soon as I try to access https://gmail.com/ and the browser complains about the certificate. -- and, according to my tests, I can access it from firefox just fine MOST of the times: *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2 -- though I have also seen situations where Firefox also complains about a certificate error when connecting to gmail.com - and, although I cannot reproduce it 100% of the times, sometimes, even though I have my iptables redirect rules ON, the browser still seems to "connect direct" (or, at least, it shows it has the original certificate)! -- like I said, at first, I was able to trace this back to QUIC in Chrome but...I'm currently blocking traffic on port 443 udp so I don't know what's happening here (does it use different ports?!) So, here are *my questions*: - why am I able to successfully ssl-bump https://www.google.com but not https://gmail.com/ - why does the Chrome freakout about gmail but not Firefox? - Is there a way to fix it OR, at least, to bypass it? (I tried creating an ACL for this and allowing direct traffic but it didn't seem to work...) -- can we make the connection go direct when ssl certificate errors are detected? - and has anyone else seen this problem where the browser seems to use the original certificate, even though I'm redirecting traffic to Squid? Not sure if this is relevant, but here are some ssl errors I caught on my cache.log file: root@server:/var/log/squid3# tail cache.log 2015/02/05 21:47:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 30: Closed by client 2015/02/05 21:48:23 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 30: Closed by client 2015/02/05 21:48:36 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 96: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/02/05 21:48:54 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 105: Closed by client 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 79: Broken pipe (32) 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 54: Broken pipe (32) 2015/02/05 21:49:24 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 79: Closed by client 2015/02/05 21:49:55 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 26: Closed by client 2015/02/05 21:50:26 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 45: Closed by client 2015/02/05 21:50:56 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 68: Closed by client root@server:/var/log/squid3# By the way, here's how I generated my certificate: openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem openssl x509 -in myCA.pem -outform DER -out certificate.der (note: myCA.pem is the certificate that squid is using and certificate.der is the one I've been installing on the client computers) And here's what my current squid.conf looks like: root@server:/etc/squid3/ssl_cert# cat /etc/squid3/squid.conf #Access Lists acl home_network src 192.168.200.0/24 #Ports allowed through Squid acl Safe_ports port 80 #http acl Safe_ports port 443 #https acl SSL_ports port 443 acl SSL method CONNECT acl CONNECT method CONNECT #allow/deny http_access allow home_network http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem acl broken_sites dstdomain .gmail.com ssl_bump none localhost ssl_bump none broken_sites ssl_bump server-first all sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/share/squid3/var/lib/ssl_db -M 4MB sslcrtd_children 5 #caching directory cache_dir ufs /var/spool/squid3 1024 16 128 cache_mem 1024 MB #refresh patterns for caching static files refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 refresh_pattern . 0 40% 40320 dns_nameservers 8.8.8.8 #rewrite program redirect_program /etc/squid3/filter.php root@server:/etc/squid3/ssl_cert# Thanks in advance, Luis
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
