[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Eliezer , Please help me in solving this issue. If anyone solved the issue about blank page when we open 'http://www.hotmail.com'. Please reply. Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666957.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Eliezer , OS is CentOS 5.5 uname -a : Linux username 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 i686 i386 GNU/Linux getenforce : Disabled ls -la /etc/squid3/ssl_cert/ total 20 drwxr-xr-x 3 root root 4096 Jun 10 14:33 . drwxr-xr-x 3 root root 4096 Jun 10 14:32 .. -rw-r--r-- 1 root root 848 Jun 10 14:33 myCA.der -rw-r--r-- 1 root root 2091 Jun 10 14:32 myCA.pem drwxr-xr-x 2 root root 4096 Jun 10 14:32 ssl_db Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p409.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Eliezer , Please help me out of this issue. I'm still getting blank page when I open 'https://www.hotmail.com' and the ssld_program is crashing rapidly. Please help me. Thanks in advance. Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666587.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Hotmail issue in squid 3.4.4
My guess is that the ssl_crtd crashing causing the issue. What OS are you using? uname -a getenforce ls -lza /location/of/the/ssl_crtd Eliezer On 07/02/2014 09:55 AM, vin_krish wrote: Hi Eliezer , Please help me out of this issue. I'm still getting blank page when I open 'https://www.hotmail.com' and the ssld_program is crashing rapidly. Please help me. Thanks in advance. Regards, krish
Re: [squid-users] Re: Hotmail issue in squid 3.4.4
On 10/06/2014 5:09 p.m., vin_krish wrote: Hi Eliezer, Sorry for late reply as I was busy with some other issues. But I tested long back but was not able to reply you. I tested with your bash script but it throws error all time as: 2014/06/10 10:33:13| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9 2014/06/10 10:33:13| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 20 flags=41 2014/06/10 10:33:13| WARNING: ssl_crtd #Hlpr0 exited This is the problem. Why did that happen? Usually we find this is from incorrect access permissons to the /etc/squid3/ssl_cert/ssl_db or corrupted file(s) there. 2014/06/10 10:33:13| Too few ssl_crtd processes are running (need 1/10) 2014/06/10 10:33:13| Closing HTTP port [::]:3128 2014/06/10 10:33:13| Closing HTTPS port [::]:3129 2014/06/10 10:33:13| storeDirWriteCleanLogs: Starting... 2014/06/10 10:33:13| Finished. Wrote 0 entries. 2014/06/10 10:33:13| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ssl_crtd helpers are crashing too rapidly, need help! and my configuration is: http_port 3128 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /etc/squid3/ssl_cert/ssl_db -M 16MB sslcrtd_children 10 I have gone through forum and search also, as they specify about the change of permission and ownership to my user 'squid' to the ssl directory, but it didn't work. Did you run the ssl_crtd tool as that user when you created it? Amos
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Amos, When I created 'ssl_crtd', by default it had 'root' permission, then I changed to my user 'squid' and run. After changing to my user also error comes. But when I ran at command prompt with /usr/local/squid/libexec/ssl_crtd -c -s /etc/squid3/ssl_cert/ssl_db it initialized, then I tried to run from squid conf as mentioned in the doc, sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /etc/squid3/ssl_cert/ssl_db -M 16MB then the error comes: FATAL: The ssl_crtd helpers are crashing too rapidly, need help! Thanks for reply. Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666282.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Eliezer, Sorry for late reply as I was busy with some other issues. But I tested long back but was not able to reply you. I tested with your bash script but it throws error all time as: 2014/06/10 10:33:13| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9 2014/06/10 10:33:13| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 20 flags=41 2014/06/10 10:33:13| WARNING: ssl_crtd #Hlpr0 exited 2014/06/10 10:33:13| Too few ssl_crtd processes are running (need 1/10) 2014/06/10 10:33:13| Closing HTTP port [::]:3128 2014/06/10 10:33:13| Closing HTTPS port [::]:3129 2014/06/10 10:33:13| storeDirWriteCleanLogs: Starting... 2014/06/10 10:33:13| Finished. Wrote 0 entries. 2014/06/10 10:33:13| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ssl_crtd helpers are crashing too rapidly, need help! and my configuration is: http_port 3128 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /etc/squid3/ssl_cert/ssl_db -M 16MB sslcrtd_children 10 I have gone through forum and search also, as they specify about the change of permission and ownership to my user 'squid' to the ssl directory, but it didn't work. Can you please help me out... Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666279.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Hotmail issue in squid 3.4.4
On 05/21/2014 02:31 PM, vin_krish wrote: http_port 8080 //for forward proxy https_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= try to take a look at this: http://www1.ngtech.co.il/paste/1133/ it's not perfect and might be wrong parts of bash but this is the basic ssl-bump settings that works for me and many more. Eliezer
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Amos , I have NAT'ed tcp port 80 and 443 to 3128 and 3129 as below: iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp -m tcp -m multiport --dports 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp -m tcp -m multiport --dports 443 -j REDIRECT --to-ports 3129 and configured squid port as: # HTTP browser explicit proxy config http_port 8080 # HTTP port 80 NAT'ed http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options=... # HTTPS port 443 NAT'ed https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options=... as I'm running squid in transparent mode and used ssl-bump server-first option. I have imported my certificate in the Firefox browser. I want to allow all SSL/TLS version, so I have mentioned as options= in port configuration as mentioned in docs options=Various SSL implementation options. The most important being: NO_SSLv2Disallow the use of SSLv2 NO_SSLv3Disallow the use of SSLv3 NO_TLSv1Disallow the use of TLSv1.0 NO_TLSv1_1 Disallow the use of TLSv1.1 NO_TLSv1_2 Disallow the use of TLSv1.2 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges ALL Enable various bug workarounds suggested as harmless by OpenSSL Be warned that this reduces SSL/TLS strength to some attacks. See OpenSSL SSL_CTX_set_options documentation for a complete list of options. I tried with options=ALL and without options= . But still protocol error exist when I go for 'http://www.hotmail.com'. Am I missing something..? Thanks for replying, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666068.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi, When I access 'https://www.hotmail.com', I get protocol error with the following logs: The cache log shows as below: 2014/05/21 11:51:42 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 21: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list (1/-1/0) The access log shows as below: 1400652009.479 0 10.0.0.2 TAG_NONE/503 4185 GET https://login.live.com/login.srf? - HIER_NONE/- text/html 1400652009.573 0 10.0.0.2 TAG_NONE/400 4064 GET /my-warning - HIER_NONE/- text/html Regards, vin_krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666036.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Eliezer, When I remove 'transparent' in 'http_port', I get 'Invalid URL' error. I have enabled DNS also. Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666037.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Hotmail issue in squid 3.4.4
On 21/05/2014 6:37 p.m., vin_krish wrote: Hi Eliezer, When I remove 'transparent' in 'http_port', I get 'Invalid URL' error. I have enabled DNS also. Eliezer did not mentio teh transporent option. You are using HTTP_port and sending it HTTP*S* traffic. You need to configure http*S*_port with intercept and ssl-bump options. Amos
Re: [squid-users] Re: Hotmail issue in squid 3.4.4
Hey, First verify that you have fixed the errors which also can be seen using the command squid -kparse. There is nothing we can help you if the settings are not in place. Did you changed the http_port line which suppose to be https_port line? Eliezer On 05/21/2014 09:34 AM, vin_krish wrote: Hi, When I access 'https://www.hotmail.com', I get protocol error with the following logs: The cache log shows as below: 2014/05/21 11:51:42 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 21: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list (1/-1/0) The access log shows as below: 1400652009.479 0 10.0.0.2 TAG_NONE/503 4185 GET https://login.live.com/login.srf? - HIER_NONE/- text/html 1400652009.573 0 10.0.0.2 TAG_NONE/400 4064 GET /my-warning - HIER_NONE/- text/html Regards, vin_krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666036.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Hotmail issue in squid 3.4.4
Hi Eliezer , I have configured as : http_port 8080 //for forward proxy https_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= but still 'protocol error' exists. and I tried http_port 8080 //for forward proxy http_port 3128 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= still the same 'protocol error'. Is it due to the self-signed certificate..? It should work when I access http://www.hotmail.com, but it doesn't. As I'm redirecting port 80 to 3128. Thanks for replying, Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666048.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Hotmail issue in squid 3.4.4
Consider closely what protocol you are sending to which Squid ports ... # HTTP browser explicit proxy config http_port 8080 # HTTP port 80 NAT'ed http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options=... # HTTPS port 443 NAT'ed https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options=... Once you understand what the protocols are it should be clear how and why the config options work. Amos On 21/05/2014 11:31 p.m., vin_krish wrote: Hi Eliezer , I have configured as : http_port 8080 //for forward proxy https_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= but still 'protocol error' exists. and I tried http_port 8080 //for forward proxy http_port 3128 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=cert.crt key=cert.key options= still the same 'protocol error'. Is it due to the self-signed certificate..? It should work when I access http://www.hotmail.com, but it doesn't. As I'm redirecting port 80 to 3128. Thanks for replying, Regards, krish -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Hotmail-issue-in-squid-3-4-4-tp4666020p4666048.html Sent from the Squid - Users mailing list archive at Nabble.com.