Re: [squid-users] Issues with ssl-bump in 3.HEAD

Running into another issue, not sure whats going on here.

ALL HTTPS connections are being denied. Temporarily, selinux is disabled
and firewall is off. We have it working on 2 other servers with same OS,
same kernel, same settings but it is just this one that refuses to allow
connections to HTTPS sites.

We went with this version since none of the other rpms (3.4x and newer)
we could find included the ssl_crtd without manually compiling the
entire thing, which we wanted to stay away from if possible, due to ease
of updating squid at some point down the road on many servers without
having to recompile on dozens (or maybe hundreds by then) when it comes
time.

The cache.log shows no errors. "squid -k parse" shows no errors.

[root_at_servername $]# yum info squid
Loaded plugins: security
Installed Packages
Name : squid
Arch : x86_64
Epoch : 7
Version : 3.5.0.001
Release : 1.el6
Size : 8.2 M
Repo : installed

[root_at_servername $]# squid -v
Squid Cache: Version 3.HEAD-20140127-r13248
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384'
'--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'

 From access.log:
TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/- text/html
TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html
TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html

Rules are same as previously mentioned:

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
always_direct allow all

visible_hostname xxxxx.xx.net
cache_mgr xxxx_at_xx.net
dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz
hosts_file /etc/hosts

#cache_access_log /dev/null
#cache_store_log none
#cache_log /dev/null
# acl blacklist dstdomain -i "/etc/squid/domains"
# http_access deny blacklist

# Below line is for troubleshooting only, comment out when sys goes to
production
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
debug_options ALL,0

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 10000 32 512
cache_effective_user squid

The cache store (store.log) shows a lot of entries like this:
RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F ? ?
? ? ?/? ?/? ? ?

So any idea why this one system is always showing the TCP denied on the
secure sites despite having same settings as other servers at the same
location?

Thanks,
Mike
Received on Mon Jun 16 2014 - 22:30:23 MDT