Hi All, I am trying to configure an intercept proxy with peek/splice/terminate features in Squid 3.5.1 on CentOS 7 - 64 bit. I wanted to peak at steps 1 and step 2 and to decide on terminate on step 3 based on the SNI and server certificate values. It is working only for https://www.google.com, but lot of other ssl sites (likes of https://www.yahoo.com etc) are not getting loaded logging an " Error negotiating SSL on FD 36: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext " in the cache.log (trying the same sites using openssl s_client command works). I was wondering if it has to do anything with my config or open ssl (version 1.0.1e) or anything else. The web sites are being accessed from a windows 7 workstation with IE 8 and Firefox 35.0.1 . Below is the squid.config section for peek and splice I am using.
acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 external_acl_type SSL_URL_Filter %SRC %ssl::>sni %ssl::<cert_subject </path/to/urlfilterscript> acl URL_Allowed external SSL_URL_Filter ssl_bump peek step1 all ssl_bump peek step2 all ssl_bump terminate step3 !URL_Allowed ssl_bump splice step3 all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem Thanks in Advance, John Visit our Website at www.rmesi.co.in<http://www.rmesi.co.in> This message is confidential and should not be copied or disclosed to anyone. If this email has come to you in error, please delete it, along with any attachments. Any views or opinions presented are only those of the author and not those of RMESI. RMESI accepts no liability for any loss or damage which may be caused by software viruses and it is your responsibility to ensure that this email and any attachments are free of viruses when you receive it. You may use and apply this email and the information contained in it for the intended purpose only and RMESI shall not be liable in any way in respect of use for any other purpose. In respect of all other matters, to the fullest extent permitted by applicable law, RMESI disclaims all responsibility and liability for the contents of this email (including any attachments). Please note that RMESI may intercept incoming and outgoing email communications. RM Education Solutions India Pvt Ltd (CIN: U72200KL2003PTC015931) is a company registered in India with its registered office at B-5 Gayatri Building, Technopark Campus, Trivandrum, Kerala, 695 581.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
