Strangely signed website, and ssl_bump error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Strangely signed website, and ssl_bump error

jetraw
This post has NOT been accepted by the mailing list yet.
Hello every one.
I have two proxy squid servers, first server i configureted myself, the other server i got.

And now i got error of bump on the web-site https://mba-max.de/:
The following error was encountered while trying to retrieve the URL: https://78.47.175.105/*
Failed to establish a secure connection to 78.47.175.105
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: [No Error]

on access.log:
1502203900.513    177 192.168.11.57 TAG_NONE/200 0 CONNECT www.mba-max.de:443 user@domain HIER_DIRECT/78.47.175.105 -
1502203900.523      1 192.168.11.57 TCP_DENIED/407 4762 CONNECT www.mba-max.de:443 - HIER_NONE/- text/html
1502203900.630    104 192.168.11.57 TAG_NONE/200 0 CONNECT www.mba-max.de:443 user@domain HIER_DIRECT/78.47.175.105 -
1502203900.637      0 192.168.11.57 TAG_NONE/503 353 GET https://www.mba-max.de/Login.aspx? user@domain HIER_NONE/- text/html

on cache.log
2017/08/08 17:53:53 kid1| Error negotiating SSL on FD 31: error:00000000:lib(0):func(0):reason(0) (5/0/0)

my ssl_bump configuration:

https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/squid.pem key=/usr/local/etc/squid/squid.pem version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# also i tried used without transparent connection
http_port 3130  ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/squid.pem key=/usr/local/etc/squid/squid.pem version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump server-first all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

also i tried to use ssl-bump without options

i tried this web-site on:
Lubuntu 17.04 with squid 3.5.23
and
FreeBSD 10.3 with squid 3.5.22

now i use splice for this website, but i want to bump this trafic