Re: [squid-users] sslproxyflags DONT_VERIFY_PEER

[Stanford Prescott]

Okay, it's not a name of the cert problem.

I turned on extra debug info to see what I get when I remove the
DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is
what I got in the cache.log. I only see a couple of lines about a
certificate error. Sorry this is long but I didn't know what to include so
I just included everything for that one access attempt.

*2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
query ARP table*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
query ARP on each interface (128 found)*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface lo*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth2*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth2*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth1*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth1*
*2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got
address 08:00:27:29:24:4a on eth1*
*2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
*2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
localhostgreen*
*2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]>
(10.40.40.110:49732 <http://10.40.40.110:49732>)  vs
10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
*2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' NOT found*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
localhostgreen = 0*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 1*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
<http://10.40.40.110:49732/[:>:] ([::]:49732)  vs [::]-[::]/[::]*
*2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909)
httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443
<http://52.34.245.108:443> remote=10.40.40.110:49732
<http://10.40.40.110:49732> FD 14 flags=33 method 3*
*2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
checking slow rules*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
http_access*
*2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
http_access#1*
*2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
SWE_subnets*
*2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
SWE_subnets = 1*
*2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1*
*2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1*
*2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished:
0xa214d28 answer ALLOWED for match*
*2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
*2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0 is  banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 0*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/6is not banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_to_splice*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_allowed_hsts*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:tiles.services.mozilla.com
<http://tiles.services.mozilla.com> <>  .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <>  .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_allowed_hsts = 0*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_server_is_bank*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:tiles.services.mozilla.com
<http://tiles.services.mozilla.com> <>  .wellsfargo.com
<http://wellsfargo.com>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <>  .wellsfargo.com
<http://wellsfargo.com>*
*2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_server_is_bank = 0*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_to_splice = 0*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/4is not banned*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
<http://10.40.40.110:49732/[:>:] ([::]:49732)  vs [::]-[::]/[::]*
*2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
*2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
*2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking fast rules*
*2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck:
aclCheckFast: list: 0x9de0a80*
*2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error*
*2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'DENIED/0is not banned*
*2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error#1*
*2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
<http://10.40.40.110:49732/[:>:] ([::]:49732)  vs [::]-[::]/[::]*
*2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:49732 <http://10.40.40.110:49732>' found*
*2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error#1 = 1*
*2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error = 1*
*2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer DENIED for match*
*2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)*
*2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68
checking fast ACLs*
*2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950b68 answer ALLOWED for match*
*2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
*2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
*2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong:
local=52.34.245.108:443 <http://52.34.245.108:443>
remote=10.40.40.110:49732 <http://10.40.40.110:49732> flags=33*
*2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28
checking fast ACLs*
*2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950c28 answer ALLOWED for match*
*2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
*2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
*2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
query ARP table*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
query ARP on each interface (128 found)*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface lo*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth2*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth2*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
found interface eth1*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
looking up ARP address for 10.40.40.110 on eth1*
*2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0 got
address 08:00:27:29:24:4a on eth1*
*2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
*2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
*2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
http_access*
*2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
http_access#1*
*2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
SWE_subnets*
*2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:40595 <http://10.40.40.0:40595>)  vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:40595 <http://10.40.40.110:40595>' found*
*2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
SWE_subnets = 1*
*2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1*
*2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1*
*2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950198*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c*
*2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc*
*2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc*
*2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950ae8
checking fast ACLs*
*2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950ae8 answer ALLOWED for match*
*2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8*
*2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638
query ARP table*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638
query ARP on each interface (128 found)*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
found interface lo*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
found interface eth2*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
looking up ARP address for 10.40.40.110 on eth2*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
found interface eth1*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
looking up ARP address for 10.40.40.110 on eth1*
*2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638 got
address 08:00:27:29:24:4a on eth1*
*2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
*2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
*2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
localhostgreen*
*2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
<http://10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]>
(10.40.40.110:35474 <http://10.40.40.110:35474>)  vs
10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
*2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' NOT found*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
localhostgreen = 0*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 1*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
<http://10.40.40.110:35474/[:>:] ([::]:35474)  vs [::]-[::]/[::]*
*2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909)
httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443
<http://98.138.253.109:443> remote=10.40.40.110:35474
<http://10.40.40.110:35474> FD 18 flags=33 method 3*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
checking slow rules*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
http_access*
*2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0is not banned*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
http_access#1*
*2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
SWE_subnets*
*2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
<http://10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]>
(10.40.40.0:35474 <http://10.40.40.0:35474>)  vs
10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
*2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
SWE_subnets = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
0xa214d28 answer ALLOWED for match*
*2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
*2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking slow rules*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rules)*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/0 is  banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/3is not banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_s1_connect*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s1_connect = 0*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/6is not banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_to_splice*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_allowed_hsts*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'www.yahoo.com <http://www.yahoo.com>'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
 .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
'www.yahoo.com <http://www.yahoo.com>' NOT found*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <>  .akamaihd.net <http://akamaihd.net>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_allowed_hsts = 0*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_server_is_bank*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'www.yahoo.com <http://www.yahoo.com>'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
 .wellsfargo.com <http://wellsfargo.com>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
'www.yahoo.com <http://www.yahoo.com>' NOT found*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
'none'*
*2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
aclHostDomainCompare: Match:none <>  .wellsfargo.com
<http://wellsfargo.com>*
*2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_server_is_bank = 0*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_to_splice = 0*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 0*
*2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'ALLOWED/4is not banned*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
(ssl_bump rule)*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
tls_s2_client_hello*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
tls_s2_client_hello = 1*
*2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
<http://10.40.40.110:35474/[:>:] ([::]:35474)  vs [::]-[::]/[::]*
*2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rule) = 1*
*2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
(ssl_bump rules) = 1*
*2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer ALLOWED for match*
*2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
*2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
*2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
*2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
*2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
checking fast rules*
*2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck:
aclCheckFast: list: 0x9de0a80*
*2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error*
*2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction: Action
'DENIED/0is not banned*
*2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
sslproxy_cert_error#1*
*2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all*
*2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
<http://10.40.40.110:35474/[:>:] ([::]:35474)  vs [::]-[::]/[::]*
*2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
'10.40.40.110:35474 <http://10.40.40.110:35474>' found*
*2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1*
*2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error#1 = 1*
*2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
sslproxy_cert_error = 1*
*2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished:
0xa210ad8 answer DENIED for match*
*2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)*
*2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950b68
checking fast ACLs*
*2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950b68 answer ALLOWED for match*
*2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
*2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
*2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong:
local=98.138.253.109:443 <http://98.138.253.109:443>
remote=10.40.40.110:35474 <http://10.40.40.110:35474> flags=33*
*2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck: 0xbf950c28
checking fast ACLs*
*2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
cache_access_log stdio:/var/log/squid/access.log*
*2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
(cache_access_log stdio:/var/log/squid/access.log line)*
*2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
(cache_access_log stdio:/var/log/squid/access.log line) = 1*
*2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
cache_access_log stdio:/var/log/squid/access.log = 1*
*2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished:
0xbf950c28 answer ALLOWED for match*
*2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
*2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
*2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
*2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*


The web browser error says:
"Failed to establish a secure connection to (a yahoo.com IP address was
here)"
and another message of "(71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
and "Certificate issuer (CA) not known".

On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <stan.presc...@gmail.com>
wrote:

> Thanks for the info, Alex. That's very helpful about cleaning up my ACLs.
> Those ACLs are a collection of ACLs that others have suggested I use, but
> it would be nice to make them less confusing for me.
>
> With my limited understanding of how sslbump works, the idea for squid to
> play MITM is that a self-signed cert like squidCA.der is imported to a
> browser's root CAs. I have left a copy of the self-signed cert named
> squidCA.pem in the squid's cert directory which only works if squid is told
> to not verify the peer. When following the instructions how to generate the
> self-signed cert with openssl, the .pem file must be converted to a .der
> file for the browser to accept it. It just dawned on me that, could this be
> related to the fact that the squid self-signed certs are not named the same?
>
> On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <
> rouss...@measurement-factory.com> wrote:
>
>> On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>>
>> > ssl_bump none localhostgreen
>> > ssl_bump peek tls_s1_connect all
>> > ssl_bump splice tls_s2_client_hello tls_to_splice
>> > ssl_bump stare tls_s2_client_hello all
>> > ssl_bump bump tls_s3_server_hello all
>>
>> AFAICT, the above is too complex. You can simplify it with:
>>
>>   ssl_bump splice localhostgreen
>>   ssl_bump peek tls_s1_connect
>>   ssl_bump splice tls_to_splice
>>   ssl_bump stare all
>>   ssl_bump bump all
>>
>> and, after polishing your ACLs a little, possibly even with:
>>
>>   ssl_bump splice transactions_to_splice
>>   ssl_bump peek tls_s1_connect
>>   ssl_bump stare all
>>   ssl_bump bump all
>>
>> where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
>> and tls_to_splice)".
>>
>>
>> As for your original question, I recommend figuring out why Squid cannot
>> verify the peer. For example, your setup might be missing fresh
>> certificates for some well-known Root CAs. I do not know a good way to
>> figure out why peer verification does not work, but analyzing cache.log
>> with high-enough debugging level should be doable, especially if you can
>> reproduce the problem using a single transaction:
>>
>>
>> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users