On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote: > On 25/11/17 08:30, James Lay wrote: > > > > Topic says it...this setup has been working well for a long time, > > but > > now there are some sites that are failing the TLS handshake. > > Here's my > > setup: > > > > acl localnet src 192.168.1.0/24 > > acl SSL_ports port 443 > > acl Safe_ports port 80 > > acl Safe_ports port 443 > > acl CONNECT method CONNECT > > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_Ports > > http_access allow SSL_ports > > http_access allow allowed_http_sites > > http_access deny all > > > > > > ssl_bump peek all > > acl allowed_https_sites ssl::server_name_regex > > "/opt/etc/squid/http_url.txt" > > ssl_bump splice allowed_https_sites > > ssl_bump terminate all > > Because you have "peek all" being performed the transaction MUST > pass > your regex patterns with both TLS SNI from the client *and* the > server > certificate SubjectName values. Either one not matching will perform > that "terminate all" on the TLS handshake. > Thanks Amos...do you have a suggestion for changing this to match one or the other instead of both? James > > > > > > sslproxy_cert_error allow all > > sslproxy_capath /etc/ssl/certs > > sslproxy_flags DONT_VERIFY_PEER > > #sslproxy_options ALL > >
> > > > Also, please remove these "*_error allow all" and DONT_VERIFY_PEER lines > from your config. They are actively harmful. > > > > > > > > sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB > > sslcrtd_children 5 > > > > http_port 3128 intercept > > https_port 3129 intercept ssl-bump > > cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem > > cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem > > key=/opt/etc/squid/certs/sslsplit_ca_key.pem > > > > > NP: when cert= and key= are in the same file you do not need to specify > key=. > > > > > > generate-host-certificates=on > > dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE > > > > > > > It is also best to add "sslflags=NO_DEFAULT_CA" to these ports for > Squid-3. That will save a lot of useless memory overheads. > > > > > > > > > logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni > > %ssl::>cert_subject %>Hs %<st %Ss:%Sh > > > > > > ... > > > > > For example, the file http_url.txt contains: > > > > account\.elderscrollsonline\.com > > \.elderscrollsonline\.com > > elderscrollsonline\.com > > > > > > After doing some reading it looks like this is http2 traffic: > > https://wiki.squid-cache.org/Features/HTTP2. > > . > > > > > > > There is no sign of HTTP/2 in that PCAP trace. There is SPDY/3 and > HTTP/1.1 being offered by the client. > > > If that is from the client to Squid, then please check the matching > Squid->server for what is going on there. > > > > If the problem remains please try Squid-4. It has more advanced TLS > capabilities than Squid-3. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-users>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
