On 17/09/2015 3:16 a.m., Dieter Bloms wrote:
> Hello Antony,
> 
> 
> On Wed, Sep 16, Antony Stone wrote:
> 
>> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote:
>>
>>> I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are
>>> accessible via HTTPS and sslbump enable.
>>> But I can't get any access to the destination
>>> https://banking.postbank.de, which is accessible with 3.4.13.
>>> I use the same config for both squid versions.
>>
>> 1. What is that configuration (squid.conf without comments or blank lines, 
>> please)?
> 
> the relevant part ist:
> 
> --snip--
> acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
> http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key 
> generate-host-certificates=on dhparams=/etc/squid/dhparams.pem


Replace these...

> ssl_bump none nodecryptdomains
> ssl_bump server-first all

... with:

 acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains"
 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice nodecrypt
 ssl_bump bump all

Maybe also remove the nodecryptdomains ACL. Depends on whether you use
it anywhere else.


> sslproxy_capath /etc/ssl/certs
> sslproxy_options NO_SSLv2:NO_SSLv3:ALL
> sslproxy_cipher  
> ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
> sslproxy_cert_error deny all
> --snip--
> 
> the destination banking.postbank.de is not listed in the 
> /etc/squid/nodecrypt.domains file
> 
> with squid-3.4.13 the logs look like:
> 
> --snip--
> 1442410263.639     23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET 
> https://banking.postbank.de/rai/rai/image/pb-logo.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.737     20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET 
> https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.738     20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET 
> https://banking.postbank.de/rai/rai/css/image/fld-input.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.739     22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET 
> https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.751     33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET 
> https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - 
> HIER_DIRECT/62.153.105.15 application/x-font-woff
> 1442410263.822     22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET 
> https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - 
> HIER_DIRECT/62.153.105.15 image/png
> 1442410263.823     23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET 
> https://banking.postbank.de/rai/rai/css/image/action-links.png - 
> HIER_DIRECT/62.153.105.15 image/png
> --snip--
> 
> with squid 3.5.8 the logs look like:
> 
> --snip--
> 1442410295.266     32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410295.297     28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410295.328     29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.379     43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.420     39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.460     38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410300.500     37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410330.548     39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410330.590     39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> 1442410330.629     36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 
> - HIER_DIRECT/62.153.105.15 -
> --snip--

This is the CONNECT request which was made prior to the ssl_bump rules
being checked. 3.5 will log this regardless of bumping (or not). The
absence of "TCP_TUNNEL" means the bumping did happen.


Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to