Hi, I am also having similar environment with squid (version 3.5.2 -20150218-r13758) and openssl 1.0.1k, but for me only small number of https sites are working with peek and splice. For eg:- , I can access https://www.google.com but not https://ssllabs.com and lot of other https domains, giving "Error negotiating SSL on FD 15: error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext (1/-1/0) " in the cache.log file.
Also I could see a bunch of other error messages in the cache.log files relating to openssl (like "Error negotiating SSL on FD 21: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early (1/-1/0)" , "Error verifying certificates " etc) when tried to access sites like https://www.facebook.com, https://www.yahoo.com etc Squid is running on a CentOS 7 x64 box and Workstation is Win7 with Firefox and Chrome. I tried configuring openssl with disabling certain options with no-nextprotoneg and no-ec as well as with recent openssl version1.0.2 , but without any success. Below is my squid config file. acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all ssl_bump peek all ssl_bump splice all # Squid normally listens to port 3128 http_port <WAN Interface IP>:3128 http_port <WAN Interface IP>:3129 intercept https_port <WAN Interface IP>:3130 intercept ssl-bump cert=/tmp/sslcertificates/server.cert.pem key=/tmp/sslcertificates/server.key.pem Does this has to do anything specific to my environment or the config options? Any help on this is highly appreciated. Thanks in advance, John On Tue, Mar 10, 2015 at 10:42 PM, Roel van Meer <r...@1afa.com> wrote: > Roel van Meer writes: > > >> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. >>> >> > Traffic is redirected from port 443 top 3130 with iptables. >>> >> >>> >> ... and with an older version of OpenSSL missing many of the last few >>> >> years worth of TLS crypto features. IIRC the library releases are now >>> up >>> >> to 1.1.* or something. Its best to keep that kind of thing operating >>> the >>> >> latest versions. >>> > >>> > I know it missing the latest features, but security patches are >>> > backported. And I know it is old, but it's what I have to work with >>> > now.Do you think it might be the cause of the problem I'm having with >>> > peek/splice, or was it a general recommendation? >>> >>> Its a potential source of problems. Chrome is very much on the front >>> line of the arms race attempting to stop things like SSL-Bump working. >>> Firefox implement their own crypto library which tracks the latest TLS >>> features at a similar speed of development. >>> OpenSSL will be perpetually behind both of them, but at least the latest >>> one(s) have better chances not to be advertising features they reject in >>> "considered harmful" grounds. >>> >> >> I'll have a go then at trying with a newer openssl and the patches from >> thethread you mentioned. >> > > With Squid 3.5.2 built with openssl 1.0.1k I can splice https connections > with no trouble. Tested with Lync, Chrome, Firefox, and IE. > > So you were right. :) Thanks a lot for pointing me in the right direction! > > Cheers, > > Roel > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
