Re: [squid-users] ssl-bump, server-first

On 03/19/2013 01:27 PM, Delton wrote:
> Dear,
>
> I compiled Squid 3.3.3 on a Debian 7 with the --enable-ssl and
> --enable-ssl-crtd.
>
> I wish Squid exhibit an error message to the user to access a blocked
> page, for example https://www.facebook.com
>
> It worked more or less: imported the root certificate in the browser and
> access an HTTPS site when the certificate is displayed correctly.

Do you meant that everything works for non-blocked sites?

> With the option 'ssl-server-first bump all' active site is not displayed
> correctly.

There is no "ssl-server-first" directive in Squid. Did you mean
"ssl_bump ssl-server-first all"? You configuration shows:

> ssl_bump first-server all

There is no "first-server" option for ssl_bump. Did you mean "server-first"?

Please fix your configuration and retest. If you are still having
problems, please clarify what works, what does not, and what
configuration (or request) changes result in problems.

> The logs showed, for example:
>
> 1363716588.893 364 192.168.0.52 TCP_MISS/200 24765 GET
> https://www.google.com.br/ - PINNED/2800:3f0:4001:804::101f text/html
>
> Then I applied the following patch:
>
> http://master.squid-cache.org/ amosjeffries ~ / patches /
> pinning_hier_note.patch
>
> Now there is no more PINNED displayed in the logs, but even so the sites
> do not display correctly.

You should see PINNED for requests sent over correctly bumped SSL
connections. AFAIK, Amos' patch fixes the wrong IPv6 address. The
"PINNED" part before that IPv6 address was not wrong.

Amos, will your pinning_hier_note.patch patch log forward bumped
requests as non-PINNED?

> By accessing facebook.com first is the message's default browser: there
> are connection problems. Pressing F5 displays properly Squid page with
> the message Access Denied.

Interesting. I do not know what exactly can cause that, but let's start
with fixing your configuration as discussed above.

Thank you,

Alex.
Received on Tue Mar 19 2013 - 20:48:30 MDT