On 17/09/2015 3:16 a.m., Dieter Bloms wrote: > Hello Antony, > > > On Wed, Sep 16, Antony Stone wrote: > >> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote: >> >>> I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are >>> accessible via HTTPS and sslbump enable. >>> But I can't get any access to the destination >>> https://banking.postbank.de, which is accessible with 3.4.13. >>> I use the same config for both squid versions. >> >> 1. What is that configuration (squid.conf without comments or blank lines, >> please)? > > the relevant part ist: > > --snip-- > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
Replace these... > ssl_bump none nodecryptdomains > ssl_bump server-first all ... with: acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains" acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice nodecrypt ssl_bump bump all Maybe also remove the nodecryptdomains ACL. Depends on whether you use it anywhere else. > sslproxy_capath /etc/ssl/certs > sslproxy_options NO_SSLv2:NO_SSLv3:ALL > sslproxy_cipher > ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL > sslproxy_cert_error deny all > --snip-- > > the destination banking.postbank.de is not listed in the > /etc/squid/nodecrypt.domains file > > with squid-3.4.13 the logs look like: > > --snip-- > 1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET > https://banking.postbank.de/rai/rai/image/pb-logo.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET > https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET > https://banking.postbank.de/rai/rai/css/image/fld-input.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET > https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET > https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - > HIER_DIRECT/62.153.105.15 application/x-font-woff > 1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET > https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET > https://banking.postbank.de/rai/rai/css/image/action-links.png - > HIER_DIRECT/62.153.105.15 image/png > --snip-- > > with squid 3.5.8 the logs look like: > > --snip-- > 1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > --snip-- This is the CONNECT request which was made prior to the ssl_bump rules being checked. 3.5 will log this regardless of bumping (or not). The absence of "TCP_TUNNEL" means the bumping did happen. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users