Feature Request: More Flexible Squid Configuration Interface

Started by AlexV, February 25, 2020, 02:28:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 25, 2020, 02:28:29 AM Last Edit: February 26, 2020, 05:40:44 PM by AlexV
I am trying the SSL Inspection with Squid and Clam AV, all worrks fine with most sites, but there are some sites
like Windows Update or Cisco or adobe sites and so on that can cause issue

The problem is the same for all these  sites
QuoteThe following error was encountered while trying to retrieve the URL: https://72.163.4.74/*

    Failed to establish a secure connection to 72.163.4.74

The system returned:

    (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

    Handshake with SSL server failed: error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local.

the problem can be solved by manually changing the squid configuration in CLI, unfortunately, however, if for any reason changes are made to the configuration via GUI, the changes made by editing the configuration in CLI are lost because the file is regenerated from scratch.

You could implement fields to make these changes directly from the GUI ?

Best Regards

A.V

February 25, 2020, 05:40:03 AM #1
Which options do you set where?
February 25, 2020, 06:12:50 PM #2
Hi for the Windows Update the solution is this access-list in pre-auth

Quoteacl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com                     
acl NoSSLIntercept ssl::server_name_regex .microsoft.com                   
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net

ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

and this
Quoteacl BrokenButTrustedServers dstdomain "/usr/local/squid/etc/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

i am not an Squid Expert, so i can do some mistake, but i found the solution on the Opnsense german forums
Here

https://forum.opnsense.org/index.php?topic=6648.0

to resolve the cert error for all sites i think that the access list
sslproxy_cert_error deny all

must be modified in
sslproxy_cert_error allow all


Print
Go Up Pages1
User actions