[squid-users] SSL issues
Hello List, I've finally got a squid3 (squid3.4-4, compiled from sources on Debian) with SSL interception solution working quite decently. Now, trying to make it to work better I found some entries in the cache.log file, like these: 2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 683: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0) 2014/07/28 16:07:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 160: error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned (1/-1/0) 2014/07/28 16:07:37 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 117: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2014/07/28 16:07:40 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.74/- - GET'. Future Squid will treat this as part of the URL. 2014/07/28 16:07:52 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 922: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2014/07/28 16:08:55 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 10.10.25.75/- - GET'. Future Squid will treat this as part of the URL. I've been looking for solutions to this with no luck. So, these are my questions: 1) is it possible to check or view a FD content in order to troubleshoot this? 2) could you please share some light to solve this? 3) how do I apply a patch to upgrade my actual squid solution? Thank you! Ikna The SSL part of squid.conf: http_port 3129 http_port 3128 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB cert=/etc/squid3/certs/ssl/public2.pem key=/etc/squid3/certs/ssl/private.pem options=NO_SSLv2,NO_SSLv3 capath=/etc/ssl/certs acl SSL_whitelist dstdomain "/etc/squid3/acl/ssl_whitelist.acl" acl SSL_whitelist_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl" ssl_bump none localhost ssl_bump none SSL_whitelist ssl_bump none SSL_whitelist_ip ssl_bump server-first all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2,NO_SSLv3 sslproxy_cert_error allow all sslcrtd_program /usr/lib/squid3/ssl_crtd -s /usr/lib/ssl_db -M 200MB sslcrtd_children 40
RE: [squid-users] https interception some whitelisted sites not working properly
Fellows, one more question: with the following setup, do I'm achieving a truly transparent proxy?? http_port 3129 http_port 3128 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=256MB cert=/etc/squid3/certs/ssl/public.pem key=/etc/squid3/certs/ssl/private.pem acl broken_sites_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl" acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" always_direct allow broken_sites ssl_bump none localhost ssl_bump none broken_sites_ip ssl_bump none broken_sites sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ssl_bump server-first all I also have enabled ip_forward and got these iptables rules: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 iptables -I INPUT -p tcp -m tcp --dport 3129 -j ACCEPT Thanks > From: ikn...@outlook.com > To: squid-users@squid-cache.org > Date: Fri, 2 May 2014 11:47:43 -0400 > Subject: RE: [squid-users] https interception some whitelisted sites not > working properly > > Thank you Eliezer for your quick answer. I've been struggling for many days > to get this to work... > > Tested your recommendation and it worked like a charm! > > ... > ... > acl broken_sites_ip dst a.b.c.d/xx > acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" > always_direct allow broken_sites > ssl_bump none localhost > ssl_bump none broken_sites_ip > ssl_bump none broken_sites > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > ssl_bump server-first all > ... > ... > > One last question: is it necessary the "always_direct" instruction? > Thanks! > > > >> Date: Fri, 2 May 2014 00:55:03 +0300 >> From: elie...@ngtech.co.il >> To: squid-users@squid-cache.org >> Subject: Re: [squid-users] https interception some whitelisted sites not >> working properly >> >> Hey there, >> >> This was asked in the past month twice if i'm not wrong. >> In the stage when you use ssl_bump.. squid dosn't have any sense of >> dstdomain. >> Means that when squid bumps and knows the site name the connection is >> already bumped and knows about it but when you want to apply a whitelist >> squid only works on the IP level. >> So instead use iptables and\or squid "dst" as a whitelist level. >> >> Eliezer >> >> On 05/02/2014 12:21 AM, Ikna Nou wrote: >>> acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" >> >> >
RE: [squid-users] https interception some whitelisted sites not working properly
Thank you Eliezer for your quick answer. I've been struggling for many days to get this to work... Tested your recommendation and it worked like a charm! ... ... acl broken_sites_ip dst a.b.c.d/xx acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" always_direct allow broken_sites ssl_bump none localhost ssl_bump none broken_sites_ip ssl_bump none broken_sites sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ssl_bump server-first all ... ... One last question: is it necessary the "always_direct" instruction? Thanks! > Date: Fri, 2 May 2014 00:55:03 +0300 > From: elie...@ngtech.co.il > To: squid-users@squid-cache.org > Subject: Re: [squid-users] https interception some whitelisted sites not > working properly > > Hey there, > > This was asked in the past month twice if i'm not wrong. > In the stage when you use ssl_bump.. squid dosn't have any sense of > dstdomain. > Means that when squid bumps and knows the site name the connection is > already bumped and knows about it but when you want to apply a whitelist > squid only works on the IP level. > So instead use iptables and\or squid "dst" as a whitelist level. > > Eliezer > > On 05/02/2014 12:21 AM, Ikna Nou wrote: >> acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" > >
[squid-users] https interception some whitelisted sites not working properly
Hello List, This is my situation: squid3.4.4 on Debian compiled from source (with options --enable-ssl and --enable-ssl-crtd) It works quite well. Now, I'm trying to create a list of "ssl whitelisted" sites, using the ssl_bump feature and following: http://wiki.squid-cache.org/Features/SslBump With some sites added to this list (like Google, Hotmail, etc) the certificate presented to the client isn't the original one but the created by squid. It happens with some sites, particularly these. There are other that is OK. Have you folks go through these issues? Below is my squid.conf setting regarding to this. Thanks in advance! http_port 3129 http_port 3128 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=256MB cert=/etc/squid3/certs/ssl/public.pem key=/etc/squid3/certs/ssl/private.pem ## --\ acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" #acl broken_sites dstdomain .cisco.com .virustotal.com .mail-archive.com .facebook.com always_direct allow broken_sites ssl_bump none localhost ssl_bump none broken_sites #ssl_bump server-first !broken_sites sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ssl_bump server-first all
