Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG

C. L. Martinez
Hi all,

 After installing Squid 3.5.24 in my Debian testing (many thanks Amos for your help), I am trying to configure Squid as https intercept proxy. My config actually is:

http_port 127.0.0.1:8080
http_port 127.0.0.1:8081 intercept
http_port 127.0.0.1:8082 ssl-bump cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
        dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
https_port 127.0.0.1:8083 ssl-bump intercept cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
        dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /var/squid/ssldb -M 4MB

# SSL-Bump
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump splice localhost
acl exclude_sites ssl::server_name_regex -i "/usr/local/etc/squid/doms.nobump"
ssl_bump peek step1 all
ssl_bump splice exclude_sites
ssl_bump stare step2 all
ssl_bump bump all

 Content of "/usr/local/etc/squid/doms.nobump" is:

update\.microsoft\.com$
update\.microsoft\.com\.akadns\.net$

 But every time I have receiving Error code: SSL_ERROR_RX_RECORD_TOO_LONG in Firefox's browsers when I visit any web using https like https://www.debian.org, https://www.redhat.com, etc.. Some time ago, I have setup same config under OpenBSD and all works ok.

 Where am I doing the mistake?
--
Greetings,
C. L. Martinez
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG

Yuri Voinov


04.03.2017 3:29, C. L. Martinez пишет:

> Hi all,
>
>  After installing Squid 3.5.24 in my Debian testing (many thanks Amos for your help), I am trying to configure Squid as https intercept proxy. My config actually is:
>
> http_port 127.0.0.1:8080
> http_port 127.0.0.1:8081 intercept
> http_port 127.0.0.1:8082 ssl-bump cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
> https_port 127.0.0.1:8083 ssl-bump intercept cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
> sslcrtd_program /opt/squid/libexec/ssl_crtd -s /var/squid/ssldb -M 4MB
>
> # SSL-Bump
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump splice localhost
> acl exclude_sites ssl::server_name_regex -i "/usr/local/etc/squid/doms.nobump"
> ssl_bump peek step1 all
> ssl_bump splice exclude_sites
> ssl_bump stare step2 all
> ssl_bump bump all
>
>  Content of "/usr/local/etc/squid/doms.nobump" is:
>
> update\.microsoft\.com$
> update\.microsoft\.com\.akadns\.net$
>
>  But every time I have receiving Error code: SSL_ERROR_RX_RECORD_TOO_LONG in Firefox's browsers when I visit any web using https like https://www.debian.org, https://www.redhat.com, etc.. Some time ago, I have setup same config under OpenBSD and all works ok.
>
>  Where am I doing the mistake?
Hardly this is mistake. Most probably this is platform-specific
non-squid bug.
--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG

C. L. Martinez
On Sat, Mar 04, 2017 at 04:21:19AM +0600, Yuri Voinov wrote:

>
>
> 04.03.2017 3:29, C. L. Martinez пишет:
> > Hi all,
> >
> >  After installing Squid 3.5.24 in my Debian testing (many thanks Amos for your help), I am trying to configure Squid as https intercept proxy. My config actually is:
> >
> > http_port 127.0.0.1:8080
> > http_port 127.0.0.1:8081 intercept
> > http_port 127.0.0.1:8082 ssl-bump cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
> > dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
> > https_port 127.0.0.1:8083 ssl-bump intercept cert=/opt/squid/etc/certs/myCA.pem generate-host-certificates=on \
> > dynamic_cert_mem_cache_size=4MB tls-dh=/opt/squid/etc/certs/dhparam.pem
> > sslcrtd_program /opt/squid/libexec/ssl_crtd -s /var/squid/ssldb -M 4MB
> >
> > # SSL-Bump
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> > ssl_bump splice localhost
> > acl exclude_sites ssl::server_name_regex -i "/usr/local/etc/squid/doms.nobump"
> > ssl_bump peek step1 all
> > ssl_bump splice exclude_sites
> > ssl_bump stare step2 all
> > ssl_bump bump all
> >
> >  Content of "/usr/local/etc/squid/doms.nobump" is:
> >
> > update\.microsoft\.com$
> > update\.microsoft\.com\.akadns\.net$
> >
> >  But every time I have receiving Error code: SSL_ERROR_RX_RECORD_TOO_LONG in Firefox's browsers when I visit any web using https like https://www.debian.org, https://www.redhat.com, etc.. Some time ago, I have setup same config under OpenBSD and all works ok.
> >
> >  Where am I doing the mistake?
> Hardly this is mistake. Most probably this is platform-specific
> non-squid bug.
> --
> Bugs to the Future

Uhmm ... You are right Yuri. There is some problem with LibreSSL :( ... Generating certificate with Debian's openssl package works ok.

Many thanks Yuri.

--
Greetings,
C. L. Martinez
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users