Re: [squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

[Amos Jeffries]

On 3/10/2016 8:11 p.m., Vieri wrote:
> 
> 
> Hi,
> 
> - Original Message -
>> From: Yuri Voinov 
>> 
> 
>>> Why is Squid negotiating cipher RC4-MD5 which is reported
>>> "insecure" and unsupported by the google web site?> Because your
>>> antique client request it. XP desupported years ago.
> 
> [...]
>> Throw out XP and IE8 and set up W7 as minimum with IE10. I see no
>> other
> 
>> way. I am afraid that in this case, the cactus is too large and
>> inedible.
> 
> I agree that XP clients shouldn't be used anymore but it's easier
> said than done in corporate environments.
> 
> In any case, on a purely technical level, I don't know the internals
> of Squid and standard proxying protocols but if a Windows XP+IE8
> client has no problem whatsoever connecting directly (no proxy) to
> https://www.google.com but fails with Squid in the middle (ssl-bump)
> then that makes me think that it could be either a Squid bug or a
> missing feature 

TLS/SSL was designed to prevent MITM being done on the encrypted
traffic. When used properly that is exactly what it does.

SSL-Bump is an MITM process.

So the behaviour you see of "working" when no proxy bumping and "not
working" when proxy attempts to bump is exactly the way HTTPS was
designed to behave.

It is unreasonable to believe that working TLS behaviour is a bug in
Squid...

> Whatever the reason,
> for an end-user like me it seems that the XP client is able to
> negotiate TLS correctly with Google and presumably using the cipher
> DES-CBC3-SHA (maybe after failing with RC4-MD5 on a first attempt),
> whereas Squid immediately fails with RC4-MD5. It doesn't ever seem to
> try DES-CBC3-SHA even though it's available in openssl.

... in this case it might be. But not for the reasons stated. The
problem known so far is that RC4-MD5 cipher. Why it is not being used by
your OpenSSL library.

That could bear some further investigation. There may be things you need
to enable in the config passed to OpenSSL, or a different build of the
library needed. Something along those lines - Im just guessing here.

> 
> 
> So I guess I'll start forcing users to use Firefox on WinXP or any
> other sane OS. I just wanted to point out though that I'm still
> confused as to why the client connection is failing.

That sounds like a potentially workable option or at least workaround.

I hope the above explanations can alleviate your confusion a bit despite
not providing any answer to the problem.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.

[Amos Jeffries]

On 4/10/2016 4:12 a.m., Egerváry Gergely wrote:
> Hi,
> 
> I'm running on NetBSD 7-STABLE, with IPFilter 5.1
> (--enable-ipf-transparent)
> 
> NAT interception rule:
> rdr wm1 from 2001:738:7a00:a::/64 to any port = 80 ->
> 2001:738:7a00:a::14 port 3128 tcp
> 
> cache.log:
> 
> 2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New
> connection on FD 18
> 2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(295) acceptNext:
> connection on local=[2001:738:7a00:a::14]:3128 remote=[::] FD 18 flags=41
> 2016/10/03 17:08:03.232 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 22
> HTTP Request
> 2016/10/03 17:08:03.233 kid1| 89,5| Intercept.cc(375) Lookup: address
> BEGIN: me/client= [2001:738:7a00:a::14]:3128, destination/me=
> [2001:738:7a00:a::a:d]:52628
> 2016/10/03 17:08:03.233 kid1| Ip::Address::getInAddr : Cannot convert
> non-IPv4 to IPv4. IPA=[2001:738:7a00:a::14]:3128
> 2016/10/03 17:08:03.473| 42,8| Icmp6.cc(240) Recv: 24 bytes from
> [2001:738:7a00:b::1]
> 

And what are your squid.conf http_port line(s) ?

What does squid log about listening HTTP ports on startup?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Large text ACL lists

[Darren]

Hi Nishant

Thanks for the lead, I will have a look.

Redis is also interesting in this case due to its ability to scan keys and 
iterate through keys with a wildcard and cursors. Redis looks like it's just 
what I need as I need to swap in and out sets of sites on demand.

I have also been using Perl for over 20 years so my rewriter will be a child of 
Larry Wall.

Darren B.







Sent from Mailbird 
[http://www.getmailbird.com/?utm_source=Mailbirdutm_medium=emailutm_campaign=sent-from-mailbird]
On 2/10/2016 2:16:51 PM, Nishant Sharma  wrote:
Hi,

On 2 October 2016 9:54:52 AM IST, Darren wrote:
>Hi
>
>I have now opened the Pandora box of writing my own helper as per Bobs
>suggestion. 

We are working on a redirector which we are currently using at around 100 
geographically distributed squids. These squid are running on OpenWRT and 
PfSense embedded boxes like Mikrotik Routerboard, PCEngine Alix & APU.

The helper is written in Perl while server uses Postgresql, memcached and a 
deamon.

You may check it out at:

https://github.com/codemarauder/charcoal

http://charcoal.io

If you wish to do alpha testing, I would be more than happy to provide access 
to you on the hosted service.

Regards,
Nishant


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Caches

[Antony Stone]

On Monday 03 October 2016 at 20:55:07, Jason Alexander wrote:

> Greetings -
> 
> I’m trying to install squid on an Ubuntu workstation in a VM.  I install
> squid but unable to initialize caches.  I get the following error:
> 
> FATAL: Bungled /etc/squid/squid.conf line 3467: cache_dir rock /ssd3 ...

My guess is:

a) you have an email client which isn't correctly adding a plain text body

b) you do not have a directory /ssd3 on your computer

If either of those is incorrect, please follow Yuri's request to post your 
squid.conf (without comments or blank lines, please), but also add the output 
of:

ls -al /ssd3

from your machine.


Thanks,


Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] handshake problems with stare and bump

[Alex Rousskov]

On 10/03/2016 11:50 AM, Marc wrote:

> 2) Squid forwards the Client Hello, including ciphers the host running
> squid doesn't support (in my case, the DES and RC4 ones). This could
> also potentially lead to problems. Why doesn't squid filter them out
> from the Client Hello sent from squid to the webserver?

If this is what happens, then it is a Squid bug. During step2, the
matching "stare" action instructs Squid to start establishing the secure
connection with the origin server with the intent to "bump" it. Unlike
peeking, Squid must not advertise what it does not support in this case
because, as you said, doing so may jeopardize future bumping. If Squid
v4 does the same thing, I recommend filing a bug report.


> 3) Nice to have: Is it possible for squid to report errors to the user
> over HTTPS instead of HTTP ?

Squid is supposed to report bumping errors over HTTPS whenever it can
establish a secure connection with the client. Based on your email, I am
not sure whether Squid could establish a secure connection with the
client, but I suspect that your FD 12 "ssl3_get_client_hello:no shared
cipher" error indicates that Squid tried but failed to do so.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Squid3 Caches

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Show config.


04.10.2016 0:55, Jason Alexander пишет:
> Greetings -
>
> I’m trying to install squid on an Ubuntu workstation in a VM.  I
install squid but unable to initialize caches.  I get the following error:
>
> Initializing the Squid cache with the command squid3 -f
/etc/squid/squid.conf -z ..
>
> FATAL: Bungled /etc/squid/squid.conf line 3467: cache_dir rock /ssd3
... max-size=9
> Squid Cache (Version 3.5.12): Terminated abnormally.
> CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
> Maximum Resident Size: 115024 KB
> Page faults with physical i/o: 2
>
> Please advise how I may be able to fix this! Thank you.
>
> ~ KR
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX8qobAAoJENNXIZxhPexGhssH/i6ZgpGLflf9B+TQIwoQ7scn
llni2H6gliVz3AsB4usktPmU/slqe6EUjOkdsL/PPwv7i1C4xSyUs9V7D20uElmg
oIEzqTrfnU0tRmgaEEpKqE20XdtgbTDDgmGdiiJ0WAuxUes4KiNOoCpu9ZHjvkjF
rUCjL8itcZCzqZBdMK/QnHlTvcCMjvEfDeZspooLyYfDLLLHW/g77f4W/S/Zip9G
1yutt2v5omF3ExLTA4EXtvQ14pbCzgB9kjqqgdWHLcvQcLrgPpgZ5YVw5MXTOovF
nh6vMZGDcjJGUx3UMdj0VbxYK7yGzmIVZHRRR311EDEZ+I39pTCYi0QwymJgsa0=
=zWsi
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem with Squid3 Caches

[Jason Alexander]

Greetings - I’m trying to install squid on an Ubuntu workstation in a VM.  I install squid but unable to initialize caches.  I get the following error:Initializing the Squid cache with the command squid3 -f /etc/squid/squid.conf -z ..FATAL: Bungled /etc/squid/squid.conf line 3467: cache_dir rock /ssd3 ... max-size=9Squid Cache (Version 3.5.12): Terminated abnormally.CPU Usage: 0.004 seconds = 0.004 user + 0.000 sysMaximum Resident Size: 115024 KBPage faults with physical i/o: 2Please advise how I may be able to fix this! Thank you.~ KR___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] handshake problems with stare and bump

[Marc]

Hi,

I've got an issue with squid stare and bump, hope someone can help!

I'm staring and bumping everything, using transparent proxy on Fedora
Core 24 using squid-3.5.20-1.fc24.x86_64 (see below for config). Now
the client (iphone app) does TLS v1.0 and has the following ciphers in
the Client Hello (from wireshark):
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_DES_CBC_SHA (0x0009)

What squid does is replicating all of them in the Client Hello to the
server. This in general goes without problems most of the time, but in
this case not. In the cases where it fails, squid logs an error:
2016/10/01 00:08:13 kid1| Error negotiating SSL on FD 26:
error:1409F07F:SSL routines:ssl3_write_pending:bad write retry
(1/-1/0)
I've also seen:
2016/10/02 20:53:09 kid1| Error negotiating SSL connection on FD 12:
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
(1/-1)

Squid then sends the following html to the client (http over https
port 443 - I had to get it out of my pcap):

--
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:1409F07F:SSL
routines:ssl3_write_pending:bad write retry
This proxy and the remote host failed to negotiate a mutually
acceptable security settings for handling your request. (..)
--
Now it would've been nicer if squid sent out that error over HTTPS,
but my main problem is the error happening in the first place.

I think it has something to do with the cipher. If I look at my pcaps
I can see the webserver is selecting 'TLS_RSA_WITH_3DES_EDE_CBC_SHA
(0x000a)' in the Server Hello. In openssl, this cipher is called
'DES-CBC3-SHA'. So if I try to reproduce on another client (linux),
only using one cipher in the client hello:
1) echo -e "GET / HTTP/1.1\nHost: $host\n\n" | openssl s_client
-cipher DES-CBC3-SHA -quiet -connect $host:443 2>/dev/null
2) echo -e "GET / HTTP/1.1\nHost: $host\n\n" | openssl s_client
-cipher AES256-SHA -quiet -connect $host:443 2>/dev/null

1 breaks like the iphone app. 2 works fine. I've looked on the host
squid is running on, but 1 works there as well. So the host running
squid seems to support the cipher, also according to openssl:
# openssl ciphers -V | grep "0x00,0x0A"
  0x00,0x0A - DES-CBC3-SHASSLv3 Kx=RSA  Au=RSA
 Enc=3DES(168) Mac=SHA1

Things that come to mind:
1) Why doesn't DES-CBC3-SHA work with squid ? The host seems to supports it.
2) Squid forwards the Client Hello, including ciphers the host running
squid doesn't support (in my case, the DES and RC4 ones). This could
also potentially lead to problems. Why doesn't squid filter them out
from the Client Hello sent from squid to the webserver ? Or replace
all of them with the ciphers preferred by squid. Perhaps by using the
sslproxy_cipher directive (which is currently ignored in ssl_bump
configurations).
3) Nice to have: Is it possible for squid to report errors to the user
over HTTPS instead of HTTP ?

My squid conf:

#
http_port  3128 transparent
https_port 3129 transparent ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB
cert=/etc/pki/rootca/public+private.pem
http_port  3130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB
cert=/etc/pki/rootca/public+private.pem

logformat  combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /export/logs/squid/access_log combined
cache_log  /export/logs/squid/cache_log
coredump_dir   /var/spool/squid

acl localhost  src127.0.0.1/32 ::1

acl localnet   src10.5.0.0/16
acl localnet   srcfc00::/7
acl localnet   srcfe80::/10

acl SSL_ports  port   443
acl Safe_ports port   80
acl Safe_ports port   443
acl CONNECTmethod CONNECT

http_accessallow  manager localhost
http_accessdeny   manager
http_accessdeny   !Safe_ports
http_accessdeny   CONNECT !SSL_ports
http_accessallow  localnet
http_accessallow  localhost
http_accessdeny   all

forwarded_for  delete
cache deny all
always_direct  allow  all

ssl_bump   stare  all
ssl_bump   bump   all
#

Thanks,

Marc
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.21: ftp_port intercept doesn't work

[Alex Rousskov]

On 10/03/2016 06:36 AM, oleg gv wrote:

> I've setup in Squid 3.5.21 on my gateway : ftp_port 10.0.0.1:2121
>  intercept and create nat rule to redirect from
> port 21 to 2121 for client source address (for example 10.0.0.10)
> 
> Then trying to go through browser to ftp://ftp.intel.com from client
> 10.0.0.10
> 
> And in browser got Password prompt window: i set user anonymous and
> password a@a
> 
> Then got error message 501 Missing Host.

IIRC, your FTP password is supposed to contain the origin server host
name. There should be to "@" characters in the password. This is how
native FTP proxying works...

It might be easier to get it working with an FTP client (that supports
FTP proxies) rather than a general purpose browser.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid crash - 3.5.21

[Alex Rousskov]

On 10/03/2016 04:50 AM, Jasper Van Der Westhuizen wrote:
> This morning I had some problems with some of our proxies. 2 Proxies in
> cluster A crashed with the below errors. The shortly afterwards 4 in
> cluster B did the same. Both clusters are configured to run their cache
> in memory with SMP and 4 workers configured.
> 
> FATAL: Received Bus Error...dying.


There are at least two possible reasons:

  1. A bug in Squid and
  2. Memory overallocation by the OS kernel.

To fix the former, the developers will need a stack trace (at least). I
recommend filing a bug report after getting that trace and excluding
reason #2. Squid wiki and various system administration guides explain
how to make Squid dump core files.

To check for memory overallocation, you can temporary start Squid v4.0
with "shared_memory_locking on". Unfortunately, that squid.conf
directive is not available in Squid v3. You may be able to emulate it
using some OS-specific sysctl or environment variables, but doing so may
be far from trivial, and I do not have instructions.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Large text ACL lists

[Bob Cochran]

On 10/02/2016 02:16 AM, Nishant Sharma wrote:

Hi,

On 2 October 2016 9:54:52 AM IST, Darren  wrote:

Hi

I have now opened the Pandora box of writing my own helper as per Bobs
suggestion.

We are working on a redirector which we are currently using at around 100 
geographically distributed squids. These squid are running on OpenWRT and PfSense 
embedded boxes like Mikrotik Routerboard, PCEngine Alix & APU.

The helper is written in Perl while server uses Postgresql, memcached and a 
deamon.

You may check it out at:

https://github.com/codemarauder/charcoal

http://charcoal.io



It may be helpful at this point to remind everyone that there is a page 
on the squid site that lists redirectors: 
http://www.squid-cache.org/Misc/redirectors.html


Nishant, perhaps you should list Charcoal here.

I searched through the list for python-based redirectors.  Two come up, 
but the links seem to be stale / broken and probably should be removed:  
iredir and pyredir.





If you wish to do alpha testing, I would be more than happy to provide access 
to you on the hosted service.

Regards,
Nishant




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem in configuring squid

[Antony Stone]

On Monday 03 October 2016 at 17:03:13, Shark wrote:

> I want to config squid to make "open proxy" for both http & https
> I want make anonymous proxy, without decrypting traffic or etc, just change
> ip address, like this:
> 
> i find lot of ip port in internet for example: 173.161.0.227
> when i add some host to /etc/hosts like this:
> 
> 173.161.0.227 www.iplocation.net
> 
> its give me true way without ssl blocking in client and my ip changes to
> 173.161.0.227,

Squid is the wrong tool for this job.

You probably want something like https://www.torproject.org/
‎

Antony.

-- 
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.

[Egerváry Gergely]

Hi,

I'm running on NetBSD 7-STABLE, with IPFilter 5.1
(--enable-ipf-transparent)

NAT interception rule:
rdr wm1 from 2001:738:7a00:a::/64 to any port = 80 ->
2001:738:7a00:a::14 port 3128 tcp

cache.log:

2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New
connection on FD 18
2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(295) acceptNext:
connection on local=[2001:738:7a00:a::14]:3128 remote=[::] FD 18 flags=41
2016/10/03 17:08:03.232 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 22
HTTP Request
2016/10/03 17:08:03.233 kid1| 89,5| Intercept.cc(375) Lookup: address
BEGIN: me/client= [2001:738:7a00:a::14]:3128, destination/me=
[2001:738:7a00:a::a:d]:52628
2016/10/03 17:08:03.233 kid1| Ip::Address::getInAddr : Cannot convert
non-IPv4 to IPv4. IPA=[2001:738:7a00:a::14]:3128
2016/10/03 17:08:03.473| 42,8| Icmp6.cc(240) Recv: 24 bytes from
[2001:738:7a00:b::1]

-- squid crash here --

2016/10/03 17:08:06.285 kid1| 21,3| tools.cc(610) enter_suid:
enter_suid: PID 2722 taking root privileges
2016/10/03 17:08:06.285 kid1| 16,3| cache_manager.cc(80)
registerProfile: registering legacy config
2016/10/03 17:08:06.285 kid1| 16,5| cache_manager.cc(114) findAction:
CacheManager::findAction: looking for action config
2016/10/03 17:08:06.285 kid1| 16,6| cache_manager.cc(122) findAction:
Action not found.
2016/10/03 17:08:06.285 kid1| 16,3| cache_manager.cc(65)
registerProfile: registered profile: config
2016/10/03 17:08:06.286 kid1| 13,3| mem.cc(473) Report: Memory pools are
'on'; limit: 5.000 MB
2016/10/03 17:08:06.286 kid1| 1,2| main.cc(1455) SquidMain: Doing
post-config initialization

Any ideas?
Thank You,
--
Gergely EGERVARY
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] problem in configuring squid

[Shark]

Hi and thanks for your good software,

I want to config squid to make "open proxy" for both http & https
I want make anonymous proxy, without decrypting traffic or etc, just change
ip address, like this:

i find lot of ip port in internet for example: 173.161.0.227
when i add some host to /etc/hosts like this:

173.161.0.227 www.iplocation.net

its give me true way without ssl blocking in client and my ip changes to
173.161.0.227,

i want to make same as this server, i search a lot and ask my question here:
http://serverfault.com/questions/805413/squid-with-iptables-bypass-https

my server is centos 7 and i can install any version of squid on it, i try
lot of configuration
but not worked..

Please help me and give me true config.. i have just one valid ip in my
server that connected to internet

thanks alot
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching application/octet-stream

[Michael Varun]

There is a bug in the SSL-Bump implementation we have not sorted out
yet, which makes the "ssl-bump" on this port enable reverse-proxy mode
handling. That seems to be leading to Surrogate feature being enabled
and the Authorization:Bearer being removed when it should be relayed to
the server.


Can you refer to the BUD ID if there is one already opened  if not
should i submit one for reference ?


On Fri, Sep 30, 2016 at 1:06 PM, Amos Jeffries  wrote:

> On 30/09/2016 8:10 p.m., Michael Varun wrote:
> > Here is the snippet of debug logs
> > I dont get to see anything missing out there . It does a GET call to the
> > docker registry on behalf of the requesting client The registry listens
> on
> > 443 so squid mimicks  client TLS connections post which does a GET call
> to
> > the docker registry on the requested blobs
>
> Well firstly, going by your earlier config file the client is *not*
> performing TLS connections. Your proxy is configured to receive
> plain-text HTTP at port 443.
>
> You seem to have stumbled onto two bugs in Squid which are combining to
> be problematic.
>
> There is a bug in the SSL-Bump implementation we have not sorted out
> yet, which makes the "ssl-bump" on this port enable reverse-proxy mode
> handling. That seems to be leading to Surrogate feature being enabled
> and the Authorization:Bearer being removed when it should be relayed to
> the server.
>
> The existence of Authorization header on the request combined with lack
> of Cache-Control:public on the response means these reponses are private
> responses associated with that auth credentials token. They cannot be
> cached and given to anyone else.
>
> That brings up what I think may be a second bug. Since the request to
> the server was sent without Auth header then Squid should be considering
> it a non-auth response and treating it as cacheable anyway. But probably
> is just using the client request for that decision.
>
>
> You could try adding the "login=PASSTHRU" option to your cache_peer
> line. If the server sends "Cache-Control:public" that should enable
> caching.
>
> Amos
>
>

-- 
_
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FW: squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

[Vieri]

Hi,

- Original Message -
> From: Yuri Voinov 
>

>> Why is Squid negotiating cipher RC4-MD5 which is reported "insecure"
>> and unsupported by the google web site?> Because your antique client request 
>> it. XP desupported years ago.

[...]
> Throw out XP and IE8 and set up W7 as minimum with IE10. I see no other

> way. I am afraid that in this case, the cactus is too large and inedible.

I agree that XP clients shouldn't be used anymore but it's easier said than 
done in corporate environments.

In any case, on a purely technical level, I don't know the internals of Squid 
and standard proxying protocols but if a Windows XP+IE8 client has no problem 
whatsoever connecting directly (no proxy) to https://www.google.com but fails 
with Squid in the middle (ssl-bump) then that makes me think that it could be 
either a Squid bug or a missing feature (or maybe the fact that Squid is 
stricter when implementing protocols than Microsoft products). Whatever the 
reason, for an end-user like me it seems that the XP client is able to 
negotiate TLS correctly with Google and presumably using the cipher 
DES-CBC3-SHA (maybe after failing with RC4-MD5 on a first attempt), whereas 
Squid immediately fails with RC4-MD5. It doesn't ever seem to try DES-CBC3-SHA 
even though it's available in openssl. 


So I guess I'll start forcing users to use Firefox on WinXP or any other sane 
OS. I just wanted to point out though that I'm still confused as to why the 
client connection is failing.

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users