HTTPS Settings

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS Settings

johnr
Hi,

I am writing about assistance with my SSL bump settings.

My squid conf (this is a simple version I'm using to test this issue) looks as follows:
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

http_access allow all
sslcrtd_children 2 startup=2 idle=1
http_port 3129 ssl-bump generate-host-certificates=on cert=/home/Guyfer/ssl_bump.pem options=NO_SSL_v2

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all


There are a few websites, one of which is https://opts.ssa.gov where I get an error I'm having trouble understanding in the logs.

My browser shows a screen that reads: "Failed to establish a secure connection to 96.43.153.48. The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"... The cache logs contains the error "kid1| ERROR: negotiating TLS on FD 14: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)"

Now, if I were to modify the ssl bump settings to just be ssl_bump bump all (no peek), things seem to function fine. Am I running into a known limitation of server-first bumping? I have tried this on Squid 4.4 and Squid 4.3.

Thank you for any help, it is much appreciated.

All the best,
John


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS Settings

Amos Jeffries
Administrator
On 14/12/18 5:39 pm, John Refwe wrote:

> Hi,
>
> I am writing about assistance with my SSL bump settings.
>
> My squid conf (this is a simple version I'm using to test this issue) looks as follows:
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> http_access allow all
> sslcrtd_children 2 startup=2 idle=1
> http_port 3129 ssl-bump generate-host-certificates=on cert=/home/Guyfer/ssl_bump.pem options=NO_SSL_v2
>

FYI: SSLv2 support have been removed completely from Squid-4. That
includes things like "NO_SSL_v2".


> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
>
> There are a few websites, one of which is https://opts.ssa.gov where I get an error I'm having trouble understanding in the logs.
>
> My browser shows a screen that reads: "Failed to establish a secure connection to 96.43.153.48. The system returned: (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message"... The cache logs contains the error "kid1| ERROR: negotiating TLS on FD 14: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)"
>

The weird message is from your OpenSSL library. Apparently the server
being contacted for this transaction is not responding with TLS.


> Now, if I were to modify the ssl bump settings to just be ssl_bump bump all (no peek), things seem to function fine. Am I running into a known limitation of server-first bumping? I have tried this on Squid 4.4 and Squid 4.3.
>

server-first is more equivalent to bumping at step3. You should use a
"stare" at step2 before bumping for more reliable behaviour. That may
not fix your issue though.


The best way to debug this further is to perform a packet capture of a
test transaction which is failing and look at what the server is sending
to Squid.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS Settings

Alex Rousskov
In reply to this post by johnr
On 12/13/18 9:39 PM, John Refwe wrote:

> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all

> There are a few websites, one of which is https://opts.ssa.gov where
> I get an error I'm having trouble understanding in the logs.

Does an OpenSSL s_client test work for that site, from your Squid box?
It works for me, but your environment may be different:

$ openssl s_client --servername opts.ssa.gov --connect opts.ssa.gov:443
GET /


> Am I running into a known limitation of server-first bumping?

Why do you say "server-first bumping"? The Squid configuration you
posted does not use server-first bumping. It uses step2 bumping, which
is a completely different animal.

Collecting a packet sample from the broken transaction (client-Squid and
Squid-server packets, in all four directions), like Amos has suggested,
is a good next step, especially if you cannot reproduce with s_client.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users