[squid-users] [Fwd: ssl-bump and tunneling]

From the docs:

# none
# Become a TCP tunnel without decoding the connection.
# Works with both CONNECT requests and intercepted SSL
# connections. This is the default behavior when no
# ssl_bump option is given or no ssl_bump ACLs match.

I have the below:

acl broken_sites dstdomain .textnow.me
acl broken_sites dstdomain .akamaiedge.net
acl broken_sites dstdomain .akamaihd.net
acl broken_sites dstdomain .apple.com

sslproxy_cert_error allow broken_sites
sslproxy_cert_error deny all

sslproxy_options ALL
ssl_bump none broken_sites
ssl_bump server-first all

The above sites however still will not function..packet captures show
the below:

135 136 2014-04-26 09:10:41.040857 192.168.1.110 -> 209.59.180.54 TCP 74
44955 > 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1
TSval=21160983 TSecr=0 WS=2
137 2014-04-26 09:10:41.040934 209.59.180.54 -> 192.168.1.110 TCP 74 443
> 44955 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
TSval=22194209 TSecr=21160983 WS=16
138 2014-04-26 09:10:41.043198 192.168.1.110 -> 209.59.180.54 TCP 66
44955 > 443 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=21160986
TSecr=22194209
139 2014-04-26 09:10:41.045514 192.168.1.110 -> 209.59.180.54 SSL 146
Client Hello
140 2014-04-26 09:10:41.045589 209.59.180.54 -> 192.168.1.110 TCP 66 443
> 44955 [ACK] Seq=1 Ack=81 Win=14480 Len=0 TSval=22194210 TSecr=21160986
141 2014-04-26 09:10:41.321754 209.59.180.54 -> 192.168.1.110 TLSv1 2962
Server Hello
142 2014-04-26 09:10:41.321804 209.59.180.54 -> 192.168.1.110 TLSv1 240
Certificate
143 2014-04-26 09:10:41.688021 192.168.1.110 -> 209.59.180.54 TCP 66
44955 > 443 [ACK] Seq=81 Ack=1449 Win=8736 Len=0 TSval=21161150
TSecr=22194279
144 2014-04-26 09:10:41.696392 192.168.1.110 -> 209.59.180.54 TCP 66
44955 > 443 [ACK] Seq=81 Ack=2897 Win=11632 Len=0 TSval=21161151
TSecr=22194279
145 2014-04-26 09:10:41.697215 192.168.1.110 -> 209.59.180.54 TCP 66
44955 > 443 [ACK] Seq=81 Ack=3071 Win=14528 Len=0 TSval=21161152
TSecr=22194279
146 2014-04-26 09:10:41.743603 192.168.1.110 -> 209.59.180.54 TLSv1 632
Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
147 2014-04-26 09:10:41.743656 209.59.180.54 -> 192.168.1.110 TCP 66 443
> 44955 [ACK] Seq=3071 Ack=647 Win=15616 Len=0 TSval=22194385
TSecr=21161165
148 2014-04-26 09:10:41.744205 192.168.1.110 -> 209.59.180.54 TCP 66
44955 > 443 [FIN, ACK] Seq=647 Ack=3071 Win=14528 Len=0 TSval=21161165
TSecr=22194279
149 2014-04-26 09:10:41.781873 209.59.180.54 -> 192.168.1.110 TCP 66 443
> 44955 [ACK] Seq=3071 Ack=648 Win=15616 Len=0 TSval=22194395
TSecr=21161165
150 2014-04-26 09:10:41.844906 209.59.180.54 -> 192.168.1.110 TLSv1 109
Change Cipher Spec, Encrypted Handshake Message
151 2014-04-26 09:10:41.845076 209.59.180.54 -> 192.168.1.110 TLSv1 89
Encrypted Alert
152 2014-04-26 09:10:41.845196 209.59.180.54 -> 192.168.1.110 TCP 66 443
> 44955 [FIN, ACK] Seq=3137 Ack=648 Win=15616 Len=0 TSval=22194410
TSecr=21161165
153 2014-04-26 09:10:41.850790 192.168.1.110 -> 209.59.180.54 TCP 60
44955 > 443 [RST] Seq=648 Win=0 Len=0
154 2014-04-26 09:10:41.853153 192.168.1.110 -> 209.59.180.54 TCP 60
44955 > 443 [RST] Seq=648 Win=0 Len=0
155 2014-04-26 09:10:41.853748 192.168.1.110 -> 209.59.180.54 TCP 60
44955 > 443 [RST] Seq=648 Win=0 Len=0

This is on a linux machine with two interfaces acting as a router, one
nic internal, the other external. Thanks for any assistance you can
give.

James

PS..I find it hilarious that a mailing list about web proxy doesn't
accept html formated emails :D

ezmlm-reject: fatal: Sorry, a message part has an unacceptable MIME
Content-Type: multipart/alternative (#5.2.3)
Sorry, for security reasons this list only accepts plain text email and
no large attachments. Please configure your mail client accordingly