Re: [squid-users] HTTPS bump doesn't work with websites that require SNI

Mon, 11 Jul 2016 00:18:08 -0700 

Hello there,

Thanks for your your interest. The versions we use are:

Squid Cache: Version 3.4.10
OpenSSL 1.0.2h  3 May 2016
----------
Configuration we use for https bumping:
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

On Sun, Jul 10, 2016 at 5:12 PM, Eliezer Croitoru <elie...@ngtech.co.il>
wrote:

> Hey,
>
>
>
> What version of squid is provided on pfsense and what version are you
> using?
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
>
> *From:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *On
> Behalf Of *Yi?itcan U?UM
> *Sent:* Sunday, July 10, 2016 3:49 PM
> *To:* squid-users@lists.squid-cache.org
> *Subject:* [squid-users] HTTPS bump doesn't work with websites that
> require SNI
>
>
>
> Hello there. We're using pfsense and squid-proxy to bump https connections
> between some of our machines and www. The setup seems to works fine for
> most of the https sites, but it doesn't work for the others.
>
>
>
> One example to this sites is "docs.docker.com". Even though we can
> connect to "docker.com", we can't connect to "docs.docker.com".
>
>
>
> The error we get is:
>
> (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
>
> Handshake with SSL server failed: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>
> Upon further investigation we found out that this happens because some
> sites require SNI to supply correct SSL certificate.
>
> You can test this out with:
>
> -------------------------------
>
> openssl s_client -connect docs.docker.com:443 -> ERROR
>
> 140612823746464:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:744:
>
> -------------------------------
>
> openssl s_client -connect docs.docker.com:443 -servername docs.docker.com ->
> Works
>
> --------------------------------
>
> Squid seems to make https request without the SNI. How can we configure
> Squid to use SNI? Thanks.
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to