Hi, I've a problem in Ubuntu 18.04.2 with Squid 4.6 compiled with OpenSSL 1.1 about ssl_bump. The same configuration works in Squid 3.5 and OpenSSL 1.0
Here the relevant conf : ... http_port 3128 ssl-bump options=ALL:NO_SSLv3 connection-auth=off generate-host-certificates=off cert=/etc/squid/squidCA.pem # Not bypass server certificate validation errors sslproxy_cert_error deny all # This one return errors with debian on GCP ( https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery) host_verify_strict off sslproxy_session_cache_size 0 acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 all # API Google acl api_google_urls url_regex ^(https?:\/\/)?.*\.googleapis\.com(:443)?($|\/) acl api_google_urls url_regex ^(https?:\/\/)?.*\.google\.com(:443)?($|\/) acl api_google_urls url_regex ^(https?:\/\/)?.*\.cloud\.google\.com(:443)?($|\/) acl api_google_urls url_regex ^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}) acl api_google_ssl ssl::server_name_regex .*\.googleapis\.com acl api_google_ssl ssl::server_name_regex .*\.google\.com acl api_google_ssl ssl::server_name_regex .*\.cloud\.google\.com acl api_google_ips src 127.0.0.1/32 http_access allow api_google_ips api_google_urls ssl_bump splice step3 api_google_ips api_google_ssl http_access deny all ssl_bump terminate step3 all ... To compile and install squid I use this script: # set squid version > export SQUID_VER="4.6" > export SQUID_PKG="${SQUID_VER}-2" > sudo apt-get -y install libssl-dev devscripts build-essential fakeroot > dpkg-dev > sudo apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev > libkrb5-dev \ > libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev > libldap2-dev \ > libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl libecap3 > libecap3-dev \ > ed libltdl-dev cdbs debhelper dh-apparmor > # we will be working in a subfolder make it > mkdir -p build/squid > # decend into working directory > pushd build/squid > curl --tlsv1.1 -sSO > http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_PKG}.dsc > curl --tlsv1.1 -sSO > http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_VER}.orig.tar.gz > curl --tlsv1.1 -sSO > http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_PKG}.debian.tar.xz > # unpack the source package > dpkg-source -x squid_${SQUID_PKG}.dsc > echo "DEB_CONFIGURE_EXTRA_FLAGS += --enable-ssl --with-openssl > --enable-ssl-crtd" >> squid-${SQUID_VER}/debian/rules > # build the package > cd squid-${SQUID_VER} && dpkg-buildpackage -rfakeroot -b -J2 -uc -us > sudo apt-get install squid-langpack > sudo dpkg --install squid-common_${SQUID_PKG}_all.deb > sudo dpkg --install squid_${SQUID_PKG}_amd64.deb > sudo dpkg --install squidclient_${SQUID_PKG}_amd64.deb > cd /etc/squid > sudo openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -subj > "/CN=nobody" -x509 -extensions v3_ca -keyout squidCA.pem -out squidCA.pem > chown proxy:proxy /var/spool/squid > chown proxy:proxy /var/log/squid > chown -R proxy:proxy /etc/squid > sudo apt-get -y remove --purge libssl-dev > sudo apt-get -y remove --purge devscripts build-essential fakeroot dpkg-dev > sudo apt-get -y remove --purge libcppunit-dev libsasl2-dev libxml2-dev > libkrb5-dev \ > libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev > libldap2-dev \ > libpam0g-dev libgnutls28-dev libssl-dev libecap3-dev \ > ed libltdl-dev cdbs debhelper dh-apparmor > sudo apt-get -y autoremove I'm upgrading to Squid4 with OpenSSL 1.1 because with Squid3 Ive some connections that get stuck (for example https://packages.cloud.google.com/apt/doc/apt-key.gpg) I think for unsupported ciphers. But with Squid4 and OpenSSL1.1 I've this lines in cache log: > 2019/04/04 08:49:15 kid1| ERROR: client https start failed to allocate > handle: error:140AB043:SSL routines:SSL_CTX_use_certificate:passed a null > parameter 2019/04/04 08:49:15 kid1| ERROR: could not create TLS server context for > local=127.0.0.1:3128 remote=127.0.0.1:39203 FD 19 flags=1 and this in access log: > 127.0.0.1 - - [04/Apr/2019:08:49:15 +0000] "CONNECT > packages.cloud.google.com:443 HTTP/1.1" 200 0 "-" "curl/7.58.0" > NONE_ABORTED:HIER_NONE packages.cloud.google.com for the following connection: root@instance-2:/etc/squid $ https_proxy="http://127.0.0.1:3128"; curl -vvvv -sSO https://packages.cloud.google.com/apt/doc/apt-key.gpg * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to packages.cloud.google.com:443 > CONNECT packages.cloud.google.com:443 HTTP/1.1 > Host: packages.cloud.google.com:443 > User-Agent: curl/7.58.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [223 bytes data] * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to packages.cloud.google.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to packages.cloud.google.com:443 Thanks -- Davide Belloni http://about.me/davidebelloni http://www.linkedin.com/in/davidebelloni -- Davide Belloni http://about.me/davidebelloni http://www.linkedin.com/in/davidebelloni
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
