Hi, I’m new to this group. I just setup a squid ver 4.5 on my ubuntu machine. I configured this proxy to receive https packets from another device on the same LAN, and modified the iptables to redirect the port 443 packets to the squid proxy port 3130.
I can see the client https packet has been received and the proxy is ready to do the ‘bump’, the fd to the client connection is 13: ** 2019/12/07 20:48:59.586 kid1| 85,4| client_side_request.cc<http://client_side_request.cc>(1510) processRequest: CONNECT x.y.43.31:443 2019/12/07 20:48:59.586 kid1| 85,5| client_side_request.cc<http://client_side_request.cc>(1597) sslBumpStart: Confirming peek-bumped CONNECT tunnel on FD local=x.y..31:443 remote=192.168.1.25:39273 FD 13 flags=33 ** From the debug I can also see the proxy connects towards the remote server, and proxy has negotiated fine with the server. the proxy receives 3 certificates from the server, and verification was fine to the server. But when the proxy trying to proceed with client negotiation, I got this error: *** 2019/12/07 20:48:59.760 kid1| 33,5| client_side.cc<http://client_side.cc>(2859) sslCrtdHandleReply: Certificate for x.y.43.31 was successfully recieved from ssl_crtd 2019/12/07 20:48:59.760 kid1| 33,5| client_side.cc<http://client_side.cc>(3335) doPeekAndSpliceStep: PeekAndSplice mode, proceed with client negotiation. Currrent state:SSLv2/v3 read client hello A 2019/12/07 20:48:59.760 kid1| 5,5| ModEpoll.cc<http://ModEpoll.cc>(117) SetSelect: FD 13, type=2, handler=1, client_data=0x15beef8, timeout=0 2019/12/07 20:48:59.760 kid1| 84,5| helper.cc<http://helper.cc>(1247) GetFirstAvailable: GetFirstAvailable: Running servers 5 2019/12/07 20:48:59.760 kid1| 5,4| AsyncCall.cc<http://AsyncCall.cc>(26) AsyncCall: The AsyncCall helperHandleRead constructed, this=0x1a37c50 [call827] 2019/12/07 20:48:59.760 kid1| 5,5| Read.cc<http://Read.cc>(57) comm_read_base: comm_read, queueing read for local=[::] remote=[::] FD 10 flags=1; asynCall 0x1a37c50*1 2019/12/07 20:48:59.760 kid1| 5,5| ModEpoll.cc<http://ModEpoll.cc>(117) SetSelect: FD 10, type=1, handler=1, client_data=0x155cce8, timeout=0 2019/12/07 20:48:59.760 kid1| 5,4| AsyncCallQueue.cc<http://AsyncCallQueue.cc>(57) fireNext: leaving helperHandleRead(local=[::] remote=[::] FD 10 flags=1, data=0x157f9a8, size=3384, buf=0x157fbd0) 2019/12/07 20:48:59.760 kid1| 83,5| bio.cc<http://bio.cc>(612) squid_bio_ctrl: 0x1a5e140 6(0, 0x1a76c00) 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc<http://Session.cc>(347) get_session_cb: Request to search for SSL_SESSION of len: 321019023443:419801955 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc<http://MemMap.cc>(156) openForReading: trying to open slot for key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache] 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc<http://MemMap.cc>(177) openForReadingAt: trying to open slot at 18 for reading in map [tls_session_cache] 2019/12/07 20:48:59.761 kid1| 54,5| MemMap.cc<http://MemMap.cc>(169) openForReading: failed to open slot for key 5310BD3C63AB0519C4F984A35A8DC1AE for reading in map [tls_session_cache] 2019/12/07 20:48:59.761 kid1| 83,5| Session.cc<http://Session.cc>(362) get_session_cb: Failed to retrieve SSL_SESSION from cache *** Here is my squid.conf: # acl localnet src 192.168.1.0/24 acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 ssl_bump stare step2 ssl_bump bump all acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/usr/local/ squid/etc/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB coredump_dir /usr/local/squid/var/cache/squid cache_dir ufs /usr/local/squid/var/cache/squid 1000 16 256 # 1GB as Cache ## I’m wondering if this problem is a bug, my proxy config issue, or the client does not send the correct TLS parameters. thanks for your help in advance. Cheers, - George
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
