Re: [squid-users] Error negotiating SSL connection on FD ##: Closed by client

From: Dan Charlesworth <dan_at_getbusi.com>
Date: Thu, 10 Apr 2014 08:58:34 +1000

That’s awesome. I’ll check these out — thanks.

On 10 Apr 2014, at 1:03 am, Guy Helmer <guy.helmer_at_palisadesystems.com> wrote:

> On Apr 7, 2014, at 6:34 PM, Dan Charlesworth <dan_at_getbusi.com> wrote:
>
>> Thanks, Guy.
>>
>> I’m almost tempted to just ssl_bump none for 23.0.0.0/12, but I’m sure that would lead to all sorts of annoyances for clients who are tracking users download usage etc.
>>
>> I’d appreciate if you could share your list of IP addresses, might be useful for us.
>>
>
> Some CIDRs of interest and the date I verified them. Akamai numbers are bound to vary based on logical and geographical location. Validate before use.
>
> 11/27/2013: Dropbox: 108.160.160.0/20
>
> 06/03/2013: WebEx: 64.68.96.0/19
>
> 05/03/2013: Mozilla: 63.245.208.0/20
>
> 11/20/2012: Akamai: 184.24.0.0/13
>
> 7/31/2012: swcdn.apple.com: 157.238.0.0/16
>
> 6/27/2012: Dropbox: 199.47.216.0/22
>
> 6/12/2012: Akamai 23.32.0.0/11, 207.108.0.0/15, 209.211.216.0/24, 204.93.46.0/23, 216.243.192.0/19, 216.243.197.224/20
>
> 5/9/2012: supportdownload.apple.com: 67.135.105.0/24 (Akamai)
>
> 3/9/2012: Quicken: 206.108.40.0/21
>
> Guy
>
>> Dan
>>
>> On 7 Apr 2014, at 11:23 pm, Guy Helmer <ghelmer_at_palisadesystems.com> wrote:
>>
>>> On Apr 6, 2014, at 11:58 PM, Dan Charlesworth <dan_at_getbusi.com> wrote:
>>>
>>>> This somewhat vague error comes up with relative frequency from iOS apps when browsing via our Squid 3.4.4 intercepting proxy which is performing server-first SSL Bumping.
>>>>
>>>> The requests in question don’t make it as far as the access log, but with debug_options 28,3 26,3, the dst IP can be identified and allowed through with ssl_bump none.
>>>>
>>>> The device trusts Squid's CA, but apparently that’s not enough for the Twitter iOS app and certain Akamai requests that App Store updates use.
>>>>
>>>> Can anyone suggest how one might debug this further? Or just an idea of why the client might be closing the SSL connection in certain cases?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>
>>> I suspect that the Twitter app is using certificate pinning to prevent man-in-the-middle decryption: https://dev.twitter.com/docs/security/using-ssl
>>>
>>> IIRC, I have had some difficulty tracking down or obtaining intermediate certs that Akamai uses. I ended up whitelisting many Akamai IP addresses from SSL interception on my test network.
>>>
>>> Guy
>>
>
Received on Wed Apr 09 2014 - 22:58:49 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 10 2014 - 12:00:04 MDT