Re: Testing ssl-bump-server-first with an upstream proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 23 Nov 2012 15:39:41 +1300

On 23/11/2012 7:15 a.m., Steve Hill wrote:
>
> I'm currently testing the SSL bump-server-first functionality in Squid
> 3.3.0.1-20121122-r12391. I have an upstream proxy with "never-direct
> allow all" set (the reasons for this are slightly convoluted :).
>
> When making a bumped request, Squid bombs with:
> 2012/11/22 17:53:57 kid1| assertion failed: forward.cc:769:
> "peer->use_ssl"
>
> The post at
> http://www.squid-cache.org/mail-archive/squid-dev/201206/0089.html says:
> "Allow bumping of CONNECT requests without allow-direct set on http_port.
> Previously, that flag was required to allow bumped requests to go direct
> because they were (and, sometimes, still are) considered "accelerated"."
>
> So I assume this is supposed to work?
>

Not exactly. The upstream destination still requires SSL connectivity to
be usable - and the client will be faced with certificate domain does
not match errors unless yoru peer is also able to perform server-forst
bumping when it gets contacted by your Squid.

It looks to me like your peer is receiving plain-HTTP and cannot be
"bumped" to supply SSL server cert details.

Amos
Received on Fri Nov 23 2012 - 02:39:54 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 23 2012 - 12:00:08 MST