I'm having trouble with SSL Peek & Splice in Squid 3.5.16 using
intercept mode. I'm trying to configure a transparent proxy (no CA
installed on clients) which denies access to specific sites. I
understand that if I can't Bump (my case), then I can only use SNI
information from TLS "Client Hello" on Step 2.

Everything works OK with most sites, but when I try to connect to some
sites like facebook.com or microsoft.com, clients can't connect and I
get this error on cache.log:

> [...]
> Error negotiating SSL on FD 111: error:140920F8:SSL 
> routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
> [...]

Reading emails from this list, I came to the conclusion that this
error is related to new ciphers (like ChaCha20) which are not
supported by OpenSSL 1.0.1... So I tried to compile Squid using
OpenSSL 1.1.0, which is not possible (bug #4599). I also tried to
compile it using LibreSSL unsuccessfully.

I fail to see why is this happening. I only need to peek on the
connection and make a decision based on SNI, I'm not Bumping, so I
don't understand why ciphers matter in my situation.

My squid.conf:

> [...]
> acl face ssl::server_name_regex -i facebook
> acl twitter ssl::server_name_regex -i twitter
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> sslproxy_cipher 
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/myCA.pem 
> sslproxy_capath /var/lib/ssl_db
> ssl_bump peek all step1
> ssl_bump peek all step2
> ssl_bump terminate face step3
> ssl_bump terminate twitter step3
> ssl_bump splice all step3
> sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 10
> sslproxy_cert_error deny all
> [...]

Any ideas would be really appreciated.


squid-users mailing list

Reply via email to