Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
The config you have is doing client-first bumping (bump at step). It happens before the real cert or server details are available. As such any number of TLS features or extensions may be missing (or added) by squid that indicate problems to the browser.If you can use a config the peek/stare/splice at the step 1-2 and bump only at step it may work better.If you require this config, or have issues even with a step bump you will need to trace the TLS details being negotiated on both squid-browser and squid-server connections.Amos Original message From: Dieter Bloms Date: Thu, 21 Jan 2021, 00:25To: squid-users@lists.squid-cache.orgSubject: [squid-users] chromium based browsers don't play a video, when sslbump is enabledHello,I use squid 4.13 with enabled sslbump.Chromium based browsers like chrome and edge don't play this videohttps://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4The firefox browser and the old internet explorer have no problems.When I disable sslbumping for this destination the chromium basedbrowsers work as well.Here are some parts of my config:--snip--http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pemsslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MBsslcrtd_children 32 startup=10 idle=3tls_outgoing_options capath=/etc/ssl/certs min-version=1.2tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"ssl_bump splice nobumpingssl_bump bump all--snip--with wget or curl I can download the mp4 file in both cases (with and without sslbump)Can anybody try to view the video in a chromium based browser with enabled sslbump ?Thank you very much.-- Regards Dieter--I do not get viruses because I do not use MS software.If you use Outlook then please do not put my email address in youraddress-book so that WHEN you get a virus it won't use my address in theFrom field.___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello Eliezer, I've tested with chrome 87.0.4280.141 and Edge 87.0.664.75. On Wed, Jan 20, Eliezer Croitoru wrote: > It's not clear if only Chromium or also a simple Chrome. > > Thanks, > Eliezer > > > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > Zoom: Coming soon > > > -Original Message- > From: squid-users On Behalf Of > Dieter Bloms > Sent: Wednesday, January 20, 2021 1:26 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] chromium based browsers don't play a video, when > sslbump is enabled > > Hello, > > I use squid 4.13 with enabled sslbump. > Chromium based browsers like chrome and edge don't play this video > https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 > The firefox browser and the old internet explorer have no problems. > > When I disable sslbumping for this destination the chromium based > browsers work as well. > > Here are some parts of my config: > > --snip-- > http_port MYIP:8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > sslcrtd_program /usr/sbin/security_file_certgen -s > /var/cache/squid/sslcert_db -M 32MB > sslcrtd_children 32 startup=10 idle=3 > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > tls_outgoing_options > cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 > > acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" > ssl_bump splice nobumping > ssl_bump bump all > --snip-- > > with wget or curl I can download the mp4 file in both cases (with and without > sslbump) > > Can anybody try to view the video in a chromium based browser with enabled > sslbump ? > > Thank you very much. > > > -- > Regards > > Dieter > > -- > I do not get viruses because I do not use MS software. > If you use Outlook then please do not put my email address in your > address-book so that WHEN you get a virus it won't use my address in the > From field. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
I can watch both Edge and Chromium here with a "naked" sslbump: 1611161802.690 16176 192.168.189.48 TCP_MISS/206 30704989 GET https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 - ORIGINAL_DST/85.214.58.228 video/mp4 admin.wissen-ad.de # squid -v Squid Cache: Version 5.0.4-20201125-r5fadc09ee Service Name: squid This binary uses OpenSSL 1.1.1g FIPS 21 Apr 2020. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'CXX=g++' 'CXXFLAGS=-O2 -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' --enable-ltdl-convenience Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-users On Behalf Of Dieter Bloms Sent: Wednesday, January 20, 2021 6:01 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled Hello Eliezer, I've tested with chrome 87.0.4280.141 and Edge 87.0.664.75. On Wed, Jan 20, Eliezer Croitoru wrote: > It's not clear if only Chromium or also a simple Chrome. > > Thanks, > Eliezer > > > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > Zoom: Coming soon > > > -Original Message- > From: squid-users On Behalf Of > Dieter Bloms > Sent: Wednesday, January 20, 2021 1:26 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] chromium based browsers don't play a video, when > sslbump is enabled > > Hello, > > I use squid 4.13 with enabled sslbump. > Chromium based browsers like chrome and edge don't play this video > https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 > The firefox browser and the old internet explorer have no problems. > > When I disable sslbumping for this destination the chromium based > browsers work as well. > > Here are some parts of my config: > > --snip-- > http_port MYIP:8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > sslcrtd_program /usr/sbin/security_file_certgen -s > /var/cache/squid/sslcert_db -M 32MB > sslcrtd_children 32 startup=10 idle=3 > tls_outgoing_options capath=/etc/ssl/certs min-versio
[squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello, I use squid 4.13 with enabled sslbump. Chromium based browsers like chrome and edge don't play this video https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 The firefox browser and the old internet explorer have no problems. When I disable sslbumping for this destination the chromium based browsers work as well. Here are some parts of my config: --snip-- http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" ssl_bump splice nobumping ssl_bump bump all --snip-- with wget or curl I can download the mp4 file in both cases (with and without sslbump) Can anybody try to view the video in a chromium based browser with enabled sslbump ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
It's not clear if only Chromium or also a simple Chrome. Thanks, Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-users On Behalf Of Dieter Bloms Sent: Wednesday, January 20, 2021 1:26 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] chromium based browsers don't play a video, when sslbump is enabled Hello, I use squid 4.13 with enabled sslbump. Chromium based browsers like chrome and edge don't play this video https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 The firefox browser and the old internet explorer have no problems. When I disable sslbumping for this destination the chromium based browsers work as well. Here are some parts of my config: --snip-- http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" ssl_bump splice nobumping ssl_bump bump all --snip-- with wget or curl I can download the mp4 file in both cases (with and without sslbump) Can anybody try to view the video in a chromium based browser with enabled sslbump ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
