Re: [squid-users] ssl-bump, server-first

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Wed, 20 Mar 2013 11:35:06 -0600

On 03/20/2013 11:04 AM, Delton wrote:
> Em 20/03/2013 12:00, Alex Rousskov escreveu:
>> On 03/20/2013 04:54 AM, Delton wrote:
>>> For HTTPS, when the site is blocked as often is the message from
>>> Squid and sometimes displays the fault message in the browser
>>> connection.

>>> The first time when accessing(direct, no F5):
>>>
>>> 1363776566.837 0 192.168.0.52 TCP_DENIED/200 0 CONNECT
>>> www.facebook.com:443 - HIER_NONE/- -
>>> 1363776566.912 0 192.168.0.52 NONE/403 3575 GET
>>> https://www.facebook.com/ - HIER_NONE/- text/html
>>>
>>> I see the error message from Squid.

>> The above looks correct to me: Squid knew that the connection should be
>> denied, responded with 200 OK to the CONNECT request, bumped the
>> connection, received the first bumped GET request, and sent the error
>> message.
>>
>> Does browser show any signs that it is expecting more of the Squid error
>> message (e.g., spinning browser logo or some such)? Or does it look like
>> the browser is 100% happy? Is there an established TCP connection from
>> browser to Squid after the above Squid error message is displayed for a
>> few seconds?

> I used tcpdump and Wireshark to see the connections.
> In the first time, the browser connect to the server over TLSv1 sending
> Client Hello.

Does not the browser connect to Squid using HTTP CONNECT method? Your
Squid configuration did not show any signs of interception IIRC so the
browser should use a CONNECT method to send an HTTP request. Why is your
browser connecting to the server (instead of Squid)? If by "server" you
meant Squid, then why does not the browser send a plain CONNECT request
first? Or does it?

> Then the conection continues until the server sends FIN,
> ACK. This looks correct for me.

OK, it sounds like the connection is closed.

> In the second time,

I assume you are now talking about the case where you hit F5 for the
first time.

> the browser try connect over SSL.

The earlier questions apply: Where does the browser connect to exactly,
and does the browser use a CONNECT method first?

> When the browser sends Client Hello, the server sends back RST, ACK.

I see the difference with the before-F5 case above, but since I am
confused about what is actually going on, I will wait for your
clarifications before continuing with this analysis.

Suggested terminology: browser or client, Squid or proxy, origin server.
Please do not skip critical steps such as CONNECT.

I also noticed that your http_access rules are very strange if not broken:

>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access deny block

OK, the above makes sense.

>>> http_access deny all

Now you are denying access to all requests that did not match the
earlier http_access rules. Thus, only the above rules matter and you are
only allowing access to localhost cache manager. Do you really want to
block all non-manager traffic going through Squid?

And the following rules have no effect since "all" in "deny all" above
always matches:

>>> http_access allow localnet
>>> http_access allow localhost

HTH,

Alex.
Received on Wed Mar 20 2013 - 17:35:09 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 21 2013 - 12:00:04 MDT