chromium based browsers don't play a video, when sslbump is enabled

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

chromium based browsers don't play a video, when sslbump is enabled

Dieter Bloms-3
Hello,

I use squid 4.13 with enabled sslbump.
Chromium based browsers like chrome and edge don't play this video
https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4
The firefox browser and the old internet explorer have no problems.

When I disable sslbumping for this destination the chromium based
browsers work as well.

Here are some parts of my config:

--snip--
http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1

acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"
ssl_bump splice nobumping
ssl_bump bump all
--snip--

with wget or curl I can download the mp4 file in both cases (with and without sslbump)

Can anybody try to view the video in a chromium based browser with enabled sslbump ?

Thank you very much.


--
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: chromium based browsers don't play a video, when sslbump is enabled

Eliezer Croitoru-3
It's not clear if only Chromium or also a simple Chrome.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Dieter Bloms
Sent: Wednesday, January 20, 2021 1:26 PM
To: [hidden email]
Subject: [squid-users] chromium based browsers don't play a video, when sslbump is enabled

Hello,

I use squid 4.13 with enabled sslbump.
Chromium based browsers like chrome and edge don't play this video
https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4
The firefox browser and the old internet explorer have no problems.

When I disable sslbumping for this destination the chromium based
browsers work as well.

Here are some parts of my config:

--snip--
http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1

acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"
ssl_bump splice nobumping
ssl_bump bump all
--snip--

with wget or curl I can download the mp4 file in both cases (with and without sslbump)

Can anybody try to view the video in a chromium based browser with enabled sslbump ?

Thank you very much.


--
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: chromium based browsers don't play a video, when sslbump is enabled

Dieter Bloms-3
Hello Eliezer,

I've tested with chrome 87.0.4280.141 and Edge 87.0.664.75.

On Wed, Jan 20, Eliezer Croitoru wrote:

> It's not clear if only Chromium or also a simple Chrome.
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
> Zoom: Coming soon
>
>
> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Dieter Bloms
> Sent: Wednesday, January 20, 2021 1:26 PM
> To: [hidden email]
> Subject: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
>
> Hello,
>
> I use squid 4.13 with enabled sslbump.
> Chromium based browsers like chrome and edge don't play this video
> https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4
> The firefox browser and the old internet explorer have no problems.
>
> When I disable sslbumping for this destination the chromium based
> browsers work as well.
>
> Here are some parts of my config:
>
> --snip--
> http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
> sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
> sslcrtd_children 32 startup=10 idle=3
> tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
> tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1
>
> acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"
> ssl_bump splice nobumping
> ssl_bump bump all
> --snip--
>
> with wget or curl I can download the mp4 file in both cases (with and without sslbump)
>
> Can anybody try to view the video in a chromium based browser with enabled sslbump ?
>
> Thank you very much.
>
>
> --
> Regards
>
>   Dieter
>
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my address in the
> From field.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: chromium based browsers don't play a video, when sslbump is enabled

Eliezer Croitoru-3
I can watch both Edge and Chromium here with a "naked" sslbump:
1611161802.690  16176 192.168.189.48 TCP_MISS/206 30704989 GET https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 - ORIGINAL_DST/85.214.58.228 video/mp4 admin.wissen-ad.de

# squid -v
Squid Cache: Version 5.0.4-20201125-r5fadc09ee
Service Name: squid

This binary uses OpenSSL 1.1.1g FIPS  21 Apr 2020. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'CXX=g++' 'CXXFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' --enable-ltdl-convenience


Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Dieter Bloms
Sent: Wednesday, January 20, 2021 6:01 PM
To: [hidden email]
Subject: Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled

Hello Eliezer,

I've tested with chrome 87.0.4280.141 and Edge 87.0.664.75.

On Wed, Jan 20, Eliezer Croitoru wrote:

> It's not clear if only Chromium or also a simple Chrome.
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
> Zoom: Coming soon
>
>
> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Dieter Bloms
> Sent: Wednesday, January 20, 2021 1:26 PM
> To: [hidden email]
> Subject: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
>
> Hello,
>
> I use squid 4.13 with enabled sslbump.
> Chromium based browsers like chrome and edge don't play this video
> https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4
> The firefox browser and the old internet explorer have no problems.
>
> When I disable sslbumping for this destination the chromium based
> browsers work as well.
>
> Here are some parts of my config:
>
> --snip--
> http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
> sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
> sslcrtd_children 32 startup=10 idle=3
> tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
> tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1
>
> acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"
> ssl_bump splice nobumping
> ssl_bump bump all
> --snip--
>
> with wget or curl I can download the mp4 file in both cases (with and without sslbump)
>
> Can anybody try to view the video in a chromium based browser with enabled sslbump ?
>
> Thank you very much.
>
>
> --
> Regards
>
>   Dieter
>
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my address in the
> From field.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: chromium based browsers don't play a video, when sslbump is enabled

Amos Jeffries
Administrator
In reply to this post by Dieter Bloms-3
The config you have is doing client-first bumping (bump at step). It happens before the real cert or server details are available. As such any number of TLS features or extensions may be missing (or added) by squid that indicate problems to the browser.

If you can use a config the peek/stare/splice at the step 1-2 and bump only at step it may work better.

If you require this config, or have issues even with a step bump you will need to trace the TLS details being negotiated on both squid-browser and squid-server connections.

Amos


-------- Original message --------
From: Dieter Bloms <[hidden email]>
Date: Thu, 21 Jan 2021, 00:25
To: [hidden email]
Subject: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello,

I use squid 4.13 with enabled sslbump.
Chromium based browsers like chrome and edge don't play this video
https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4
The firefox browser and the old internet explorer have no problems.

When I disable sslbumping for this destination the chromium based
browsers work as well.

Here are some parts of my config:

--snip--
http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
sslcrtd_children 32 startup=10 idle=3
tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1

acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"
ssl_bump splice nobumping
ssl_bump bump all
--snip--

with wget or curl I can download the mp4 file in both cases (with and without sslbump)

Can anybody try to view the video in a chromium based browser with enabled sslbump ?

Thank you very much.


--
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users