Re: [squid-users] sslproxyflags DONT_VERIFY_PEER

Stanford Prescott Wed, 03 Aug 2016 19:31:47 -0700

That would explain the error if the Verisign Class 3 public root CA were
missing. However, our Smoothwall Express OS has all the standard root CAs
package found in /usr/ssl/certs. Do I need to tell squid where to find
those certs? If so, what config directive would I use for that?


Thanks!

On Wed, Aug 3, 2016 at 8:05 PM, Bruce Rosenberg <
bruce.rosenberg...@gmail.com> wrote:

> It looks like you are missing the Verisign Class 3 Public Primary Root
> cert.
> Notice the certificate chain list below.
> Yahoo correctly send back all intermediate certificates in the TLS
> handshake so the only certificate you need to make sure squid trusts (via
> openssl) is the Verisign root.
>
> You should be able to determine if the openssl client on the squid proxy
> can verify the complete chain by running the following command on the proxy.
> The important part is that at each step it outputs "verify return: 1"
> meaning that the certificate at that depth in the chain was successfully
> verified by it's issuing certificate i.e. the certificate at the previous
> higher level depth that we have already established we trust.
> The root certificate is automagically verified by virtue of being
> explicitly trusted by your openssl.
>
>
> $ openssl s_client -connect www.yahoo.com:443 </dev/null
>
>                                       ⏎
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN
> = Symantec Class 3 Secure Server CA - G4
> verify return:1
> depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., OU =
> Information Technology, CN = www.yahoo.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information
> Technology/CN=www.yahoo.com
>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
> Class 3 Secure Server CA - G4
>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
>  2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
>    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
>
> On Thu, Aug 4, 2016 at 9:51 AM, Stanford Prescott <stan.presc...@gmail.com
> > wrote:
>
>> Okay, it's not a name of the cert problem.
>>
>> I turned on extra debug info to see what I get when I remove the
>> DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is
>> what I got in the cache.log. I only see a couple of lines about a
>> certificate error. Sorry this is long but I didn't know what to include so
>> I just included everything for that one access attempt.
>>
>> *2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
>> query ARP table*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
>> query ARP on each interface (128 found)*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>> found interface lo*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>> found interface eth2*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>> looking up ARP address for 10.40.40.110 on eth2*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>> found interface eth1*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>> looking up ARP address for 10.40.40.110 on eth1*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0
>> got address 08:00:27:29:24:4a on eth1*
>> *2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
>> *2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking slow rules*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rules)*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0is not banned*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> localhostgreen*
>> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D>
>> (10.40.40.110:49732 <http://10.40.40.110:49732>)  vs
>> 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:49732 <http://10.40.40.110:49732>' NOT found*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>> localhostgreen = 0*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 0*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/3is not banned*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s1_connect*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s1_connect = 1*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all*
>> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
>> <http://10.40.40.110:49732/%5B:>:] ([::]:49732)  vs [::]-[::]/[::]*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all =
>> 1*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 1*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rules) = 1*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer ALLOWED for match*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>> *2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909)
>> httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443
>> <http://52.34.245.108:443> remote=10.40.40.110:49732
>> <http://10.40.40.110:49732> FD 14 flags=33 method 3*
>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
>> checking slow rules*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> http_access*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0is not banned*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> http_access#1*
>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>> SWE_subnets*
>> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>> (10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
>> 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>> *2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>> (10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>> *2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>> (10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>> *2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
>> SWE_subnets = 1*
>> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
>> http_access#1 = 1*
>> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
>> http_access = 1*
>> *2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa214d28 answer ALLOWED for match*
>> *2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking slow rules*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rules)*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0 is  banned*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/3is not banned*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s1_connect*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s1_connect = 0*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 0*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/6is not banned*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s2_client_hello*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s2_client_hello = 1*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_to_splice*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_allowed_hsts*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:tiles.services.mozilla.com
>> <http://tiles.services.mozilla.com> <>  .akamaihd.net <http://akamaihd.net>*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>> 'none'*
>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:none <>  .akamaihd.net <http://akamaihd.net>*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>> found*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_allowed_hsts = 0*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_server_is_bank*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:tiles.services.mozilla.com
>> <http://tiles.services.mozilla.com> <>  .wellsfargo.com
>> <http://wellsfargo.com>*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>> 'none'*
>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:none <>  .wellsfargo.com
>> <http://wellsfargo.com>*
>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>> found*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_server_is_bank = 0*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_to_splice = 0*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 0*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/4is not banned*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s2_client_hello*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s2_client_hello = 1*
>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all*
>> *2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
>> <http://10.40.40.110:49732/%5B:>:] ([::]:49732)  vs [::]-[::]/[::]*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all =
>> 1*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 1*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rules) = 1*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer ALLOWED for match*
>> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>> *2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
>> *2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
>> *2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>> *2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking fast rules*
>> *2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck:
>> aclCheckFast: list: 0x9de0a80*
>> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
>> sslproxy_cert_error*
>> *2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'DENIED/0is not banned*
>> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
>> sslproxy_cert_error#1*
>> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all*
>> *2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
>> <http://10.40.40.110:49732/%5B:>:] ([::]:49732)  vs [::]-[::]/[::]*
>> *2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all =
>> 1*
>> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
>> sslproxy_cert_error#1 = 1*
>> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
>> sslproxy_cert_error = 1*
>> *2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer DENIED for match*
>> *2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed (1/-1/0)*
>> *2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck:
>> 0xbf950b68 checking fast ACLs*
>> *2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
>> cache_access_log stdio:/var/log/squid/access.log*
>> *2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
>> (cache_access_log stdio:/var/log/squid/access.log line)*
>> *2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>> *2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
>> cache_access_log stdio:/var/log/squid/access.log = 1*
>> *2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xbf950b68 answer ALLOWED for match*
>> *2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
>> *2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
>> *2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong:
>> local=52.34.245.108:443 <http://52.34.245.108:443>
>> remote=10.40.40.110:49732 <http://10.40.40.110:49732> flags=33*
>> *2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck:
>> 0xbf950c28 checking fast ACLs*
>> *2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
>> cache_access_log stdio:/var/log/squid/access.log*
>> *2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
>> (cache_access_log stdio:/var/log/squid/access.log line)*
>> *2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>> *2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
>> cache_access_log stdio:/var/log/squid/access.log = 1*
>> *2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xbf950c28 answer ALLOWED for match*
>> *2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
>> *2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
>> *2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
>> query ARP table*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
>> query ARP on each interface (128 found)*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>> found interface lo*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>> found interface eth2*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>> looking up ARP address for 10.40.40.110 on eth2*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>> found interface eth1*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>> looking up ARP address for 10.40.40.110 on eth1*
>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0
>> got address 08:00:27:29:24:4a on eth1*
>> *2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
>> *2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking slow rules*
>> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
>> http_access*
>> *2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0is not banned*
>> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
>> http_access#1*
>> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
>> SWE_subnets*
>> *2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>> <http://10.40.40.110:40595/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>> (10.40.40.0:40595 <http://10.40.40.0:40595>)  vs
>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:40595 <http://10.40.40.110:40595>' found*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
>> SWE_subnets = 1*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
>> http_access#1 = 1*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
>> http_access = 1*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer ALLOWED for match*
>> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198*
>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950198*
>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc*
>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc*
>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c*
>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c*
>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc*
>> *2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc*
>> *2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck:
>> 0xbf950ae8 checking fast ACLs*
>> *2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
>> cache_access_log stdio:/var/log/squid/access.log*
>> *2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
>> (cache_access_log stdio:/var/log/squid/access.log line)*
>> *2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>> *2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
>> cache_access_log stdio:/var/log/squid/access.log = 1*
>> *2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xbf950ae8 answer ALLOWED for match*
>> *2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8*
>> *2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638
>> query ARP table*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638
>> query ARP on each interface (128 found)*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
>> found interface lo*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
>> found interface eth2*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
>> looking up ARP address for 10.40.40.110 on eth2*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
>> found interface eth1*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
>> looking up ARP address for 10.40.40.110 on eth1*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638
>> got address 08:00:27:29:24:4a on eth1*
>> *2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
>> *2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
>> *2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking slow rules*
>> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rules)*
>> *2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0is not banned*
>> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
>> localhostgreen*
>> *2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
>> <http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D>
>> (10.40.40.110:35474 <http://10.40.40.110:35474>)  vs
>> 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:35474 <http://10.40.40.110:35474>' NOT found*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> localhostgreen = 0*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 0*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/3is not banned*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s1_connect*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s1_connect = 1*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all*
>> *2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
>> <http://10.40.40.110:35474/%5B:>:] ([::]:35474)  vs [::]-[::]/[::]*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all =
>> 1*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 1*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rules) = 1*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer ALLOWED for match*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>> *2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909)
>> httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443
>> <http://98.138.253.109:443> remote=10.40.40.110:35474
>> <http://10.40.40.110:35474> FD 18 flags=33 method 3*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck: 0xa214d28
>> checking slow rules*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>> http_access*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0is not banned*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>> http_access#1*
>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>> SWE_subnets*
>> *2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare:
>> 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>> <http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>> (10.40.40.0:35474 <http://10.40.40.0:35474>)  vs
>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> SWE_subnets = 1*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> http_access#1 = 1*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>> http_access = 1*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa214d28 answer ALLOWED for match*
>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking slow rules*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rules)*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/0 is  banned*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/3is not banned*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s1_connect*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s1_connect = 0*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 0*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/6is not banned*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s2_client_hello*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s2_client_hello = 1*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_to_splice*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_allowed_hsts*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>> 'www.yahoo.com <http://www.yahoo.com>'*
>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
>>  .akamaihd.net <http://akamaihd.net>*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
>> 'www.yahoo.com <http://www.yahoo.com>' NOT found*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>> 'none'*
>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:none <>  .akamaihd.net <http://akamaihd.net>*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>> found*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_allowed_hsts = 0*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_server_is_bank*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>> 'www.yahoo.com <http://www.yahoo.com>'*
>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
>>  .wellsfargo.com <http://wellsfargo.com>*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
>> 'www.yahoo.com <http://www.yahoo.com>' NOT found*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>> 'none'*
>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:none <>  .wellsfargo.com
>> <http://wellsfargo.com>*
>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>> found*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_server_is_bank = 0*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_to_splice = 0*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 0*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'ALLOWED/4is not banned*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> (ssl_bump rule)*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>> tls_s2_client_hello*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> tls_s2_client_hello = 1*
>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all*
>> *2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
>> <http://10.40.40.110:35474/%5B:>:] ([::]:35474)  vs [::]-[::]/[::]*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all =
>> 1*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rule) = 1*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>> (ssl_bump rules) = 1*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer ALLOWED for match*
>> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback:
>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>> *2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
>> *2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
>> *2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xa210ad8
>> checking fast rules*
>> *2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck:
>> aclCheckFast: list: 0x9de0a80*
>> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
>> sslproxy_cert_error*
>> *2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction:
>> Action 'DENIED/0is not banned*
>> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
>> sslproxy_cert_error#1*
>> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all*
>> *2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
>> <http://10.40.40.110:35474/%5B:>:] ([::]:35474)  vs [::]-[::]/[::]*
>> *2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all =
>> 1*
>> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
>> sslproxy_cert_error#1 = 1*
>> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
>> sslproxy_cert_error = 1*
>> *2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xa210ad8 answer DENIED for match*
>> *2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed (1/-1/0)*
>> *2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck:
>> 0xbf950b68 checking fast ACLs*
>> *2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
>> cache_access_log stdio:/var/log/squid/access.log*
>> *2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
>> (cache_access_log stdio:/var/log/squid/access.log line)*
>> *2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>> *2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
>> cache_access_log stdio:/var/log/squid/access.log = 1*
>> *2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xbf950b68 answer ALLOWED for match*
>> *2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
>> *2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
>> *2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong:
>> local=98.138.253.109:443 <http://98.138.253.109:443>
>> remote=10.40.40.110:35474 <http://10.40.40.110:35474> flags=33*
>> *2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck:
>> 0xbf950c28 checking fast ACLs*
>> *2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
>> cache_access_log stdio:/var/log/squid/access.log*
>> *2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
>> (cache_access_log stdio:/var/log/squid/access.log line)*
>> *2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>> *2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
>> cache_access_log stdio:/var/log/squid/access.log = 1*
>> *2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0xbf950c28 answer ALLOWED for match*
>> *2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
>> *2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
>> *2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>> *2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>
>>
>> The web browser error says:
>> "Failed to establish a secure connection to (a yahoo.com IP address was
>> here)"
>> and another message of "(71) Protocol error (TLS code:
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
>> and "Certificate issuer (CA) not known".
>>
>> On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <
>> stan.presc...@gmail.com> wrote:
>>
>>> Thanks for the info, Alex. That's very helpful about cleaning up my
>>> ACLs. Those ACLs are a collection of ACLs that others have suggested I use,
>>> but it would be nice to make them less confusing for me.
>>>
>>> With my limited understanding of how sslbump works, the idea for squid
>>> to play MITM is that a self-signed cert like squidCA.der is imported to a
>>> browser's root CAs. I have left a copy of the self-signed cert named
>>> squidCA.pem in the squid's cert directory which only works if squid is told
>>> to not verify the peer. When following the instructions how to generate the
>>> self-signed cert with openssl, the .pem file must be converted to a .der
>>> file for the browser to accept it. It just dawned on me that, could this be
>>> related to the fact that the squid self-signed certs are not named the same?
>>>
>>> On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <
>>> rouss...@measurement-factory.com> wrote:
>>>
>>>> On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>>>>
>>>> > ssl_bump none localhostgreen
>>>> > ssl_bump peek tls_s1_connect all
>>>> > ssl_bump splice tls_s2_client_hello tls_to_splice
>>>> > ssl_bump stare tls_s2_client_hello all
>>>> > ssl_bump bump tls_s3_server_hello all
>>>>
>>>> AFAICT, the above is too complex. You can simplify it with:
>>>>
>>>>   ssl_bump splice localhostgreen
>>>>   ssl_bump peek tls_s1_connect
>>>>   ssl_bump splice tls_to_splice
>>>>   ssl_bump stare all
>>>>   ssl_bump bump all
>>>>
>>>> and, after polishing your ACLs a little, possibly even with:
>>>>
>>>>   ssl_bump splice transactions_to_splice
>>>>   ssl_bump peek tls_s1_connect
>>>>   ssl_bump stare all
>>>>   ssl_bump bump all
>>>>
>>>> where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
>>>> and tls_to_splice)".
>>>>
>>>>
>>>> As for your original question, I recommend figuring out why Squid cannot
>>>> verify the peer. For example, your setup might be missing fresh
>>>> certificates for some well-known Root CAs. I do not know a good way to
>>>> figure out why peer verification does not work, but analyzing cache.log
>>>> with high-enough debugging level should be doable, especially if you can
>>>> reproduce the problem using a single transaction:
>>>>
>>>>
>>>> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>>>
>>>>
>>>> HTH,
>>>>
>>>> Alex.
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslproxyflags DONT_VERIFY_PEER

Reply via email to