[squid-users] Squid TPROXY issues with Google sites

Discussion:

Amos Jeffries

2017-05-26 17:00:07 UTC

Erm, not quite. The raw-IP having to be dealt with comes from the use of
TPROXY (or NAT), not TLS. It is used when Squid is deciding whether to
permit the traffic on the TCP connection to be processed.

Once the TLS is received (by "peek") the TLS SNI (if any) becomes available.

[...]
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
[...]
reply_header_access Alternate-Protocol deny all
acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all
First of all, I was expecting that if a client tried to open https://mail.google.com, the connection would be blocked by Squid (DenyTroublesome ACL). It isn't. Why?

Any of the http_access lines you omitted from the config snippet might
be letting it through. Order is important, and knowing the whole
http_access sequence (and more) is just as important to correctly answer
a question such as this. So take the below with a grain of salt, I am
assuming nothing else in your config has subtle effects on the
processing outcome.

There are several things that can lead to it;

* Google servers do have working rDNS. So raw-IP becomes a server
hostname for dstdomain ACL to match.
- the rDNS is within *.1e1.net so will not match your list shown, but
it is enough to possibly evade your IP rules.

* If no provides access control lines match Squid inverted the action on
the last one and does that.
- yours are all deny, so the implicit action there is "allow all"

* "ssl_bump peek all" fetches the TLS SNI server name for
ssl::server_name ACL to match.
- so by the time Squid gets to processing the AllowTroublesome it
already knows the client is trying to reach a *.google.com domain.

Second, I am unable to scan content since Squid is splicing all Google traffic. However, if I "bump AllowTroublesome", I can enter my username in https://accounts.google.com, but trying to access to the next step (user password) fails with an unreported error.
Any suggestions?

The rest of your related squid.conf is needed for that, including
details of the files includes into the ACLs. In particular it is not
clear what this "unreported error" is or why it happens.

Amos

Alex Rousskov

2017-05-26 16:44:35 UTC

Permalink

I know that in TLS traffic there are only IP addresses

This is a gross exaggeration. The reality is much more nuanced.

I added mail.google.com to a custom file named "denied.domains" and loaded as denied_domains ACL in Squid.
[...]
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
[...]
reply_header_access Alternate-Protocol deny all
acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all
First of all, I was expecting that if a client tried to open
https://mail.google.com, the connection would be blocked by Squid
(DenyTroublesome ACL). It isn't. Why?

If a transaction is not blocked, then you have an http_access rule that
allows it. You need to figure out which rule does that. You can figure
that out by studying debugging logs, adding/logging annotate_transaction
ACLs, and/or altering http_access rules.

Second, I am unable to scan content since Squid is splicing all
Google traffic.

You told Squid to bump nothing because nothing can be bumped after
"ssl_bump peek all". You may want to study the following wiki page,
including definitions of actions such as "peek" and examples.

http://wiki.squid-cache.org/Features/SslPeekAndSplice

Alex.

Benjamin E. Nichols

2017-05-26 15:54:08 UTC

Permalink

Here is a list of google domains that may help you,

http://www.squidblacklist.org/downloads/whitelists/google.domains

Hi,
I'd like to block access to Google Mail but allow it to Google Drive. I also need to intercept Google Drive traffic (https) and scan its content via c-icap modules for threats (with clamav and other tools which would block potentially harmful files).
I've failed so far.
I added mail.google.com to a custom file named "denied.domains" and loaded as denied_domains ACL in Squid. I know that in TLS traffic there are only IP addresses, so I created the "server_name" ACL as seen below.
[...]
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
[...]
reply_header_access Alternate-Protocol deny all
acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all
First of all, I was expecting that if a client tried to open https://mail.google.com, the connection would be blocked by Squid (DenyTroublesome ACL). It isn't. Why?
Second, I am unable to scan content since Squid is splicing all Google traffic. However, if I "bump AllowTroublesome", I can enter my username in https://accounts.google.com, but trying to access to the next step (user password) fails with an unreported error.
Any suggestions?
Vieri
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users

--
--

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org

1-405-397-1360 - Call Anytime.

Vieri

2017-05-26 23:22:02 UTC

Permalink

I forgot to put the emphasis on one thing. I did not change my squid.conf or my ACLs. The only difference is in the ssl_bump configuration directives.

If I have this:

acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all

then access to https://mail.google.com is allowed when I was hoping to block it.

If I replace the above snippet with this:

ssl_bump stare all
ssl_bump bump all

then access to https://mail.google.com is blocked as expected.

The above puzzles me since I haven't changed anything else.
If I had an http_access rule that allowed the transaction to take place then I would expect it to happen regardless of the ssl_bump directive.

Alex, you mention the SSLPeekAndSplice web page. I'll try to sum it up in just a few lines (correct me if I'm wrong):
- peek implies splice which means you can't do content analysis (as in scan for threats via c-icap modules)
- stare implies bump which means you can do content analysis
- you don't need to stare, you can just bump
- you need to stare before bump if you want the clients to accept a certificate with domain names instead of IP addresses
- you can bump first by ACLs and then splice the rest
- you can bump after peek but only if you do that at SslBump1

I'm asking this because the wiki page isn't all that clear to me. Especially the "Bump All Sites Except Banks" example where the next phrase contradicts the title by saying that the requests to non-banks won't be bumped.

Anyway, I'm only interested in bumping as much as possible so I can scan content for threats.

So Amos, here goes my full squid.conf:

# grep -v ^# squid.conf | grep -v "^\$"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.custom.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# grep -v ^# squid.custom.rules | grep -v "^\$"
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
external_acl_type nt_group ttl=0 children-max=10 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/***@MYDOMAIN.ORG
auth_param negotiate children 60
auth_param negotiate keep_alive on
auth_param basic realm MYORG proxy
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl FHM_all proxy_auth REQUIRED
acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
acl interceptednormal myportname 3131
acl interceptedsslnormal myportname 3132
acl allowed_ips src "/usr/local/share/proxy-settings/allowed.ips"
acl allowed_groups external nt_group "/usr/local/share/proxy-settings/allowed.groups"
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
acl denied_ads url_regex "/usr/local/share/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/usr/local/share/proxy-settings/denied.filetypes"
acl restricted_ips src "/usr/local/share/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/usr/local/share/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/usr/local/share/proxy-settings/restricted.domains"
http_access deny restricted_ips !restricted_domains
http_access deny restricted_groups !restricted_domains
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
http_access deny denied_ads !allowed_groups !allowed_ips
http_access deny denied_filetypes !allowed_groups !allowed_ips
http_access deny explicit !FHM_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny interceptedsslnormal !localnet
http_access deny interceptednormal !localnet
cache_mgr ***@mydomain.org
email_err_data on
error_directory /usr/share/squid/errors/MYORG
append_domain .mydomain.org
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 10
reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access squidclamav allow all
include /etc/squid/squid.custom.common
include /etc/squid/squid.custom.hide
cache_dir diskd /var/cache/squid 100 16 256
http_access allow localnet

# grep -v ^# squid.custom.common | grep -v "^\$"
cache_mgr ***@mydomain.org
email_err_data on
error_directory /usr/share/squid/errors/MYORG

# grep -v ^# squid.custom.hide | grep -v "^\$"
httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Do you require the full ACLs too?

# grep google /usr/local/share/proxy-settings/*
/usr/local/share/proxy-settings/denied.domains:play.google.com
/usr/local/share/proxy-settings/denied.domains:mail.google.com

Note that the above configuration correctly blocks access to https://mail.google.com.
It also allows access to https://accounts.google.com and I can enter my Google username. However, I cannot press "the Next button" to enter the password. I could try to study the web page's source code but at a first glance:
1) Google login works fine if I by-pass the Squid proxy or if I use "ssl_bump splice".
2) I am not denying access to any Google service except for "play" and "mail".

Not being able to press "the Next button" is what I meant by "unreported error" in my previous e-mail. It is easy to reproduce with my squid.conf.

Thanks,

Vieri

Alex Rousskov

2017-05-27 01:53:22 UTC

Permalink

ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all

... then you have a configuration that does not make sense because one
cannot bump after peeking at step2. Your configuration is equivalent to

* if the current step is 1 or 2, then peek
* if AllowTroublesome during step 3, then splice
* otherwise, do the impossible

which, bugs notwithstanding, is equivalent to

ssl_bump peek all
ssl_bump splice all

If the above does not block anything then your http_access rules allow
all CONNECTs (and you never get beyond CONNECTs because you do not bump).

ssl_bump stare all
ssl_bump bump all

This configuration makes sense (but it may not do what you want).

If you want to be able to make a "splice or bump" decision, then you
have to make it during step2:

ssl_bump peek step1
ssl_bump splice AllowTroublesome
ssl_bump bump all

If I had an http_access rule that allowed the transaction to take
place then I would expect it to happen regardless of the ssl_bump
directive.

Your expectations are wrong. SslBump directives expose http_access rules
to more (or fewer) transactions. For example, the "splice all"
configuration does not expose http_access rules to any GET requests.

Alex, you mention the SSLPeekAndSplice web page. I'll try to sum it
up in just a few lines

The SslBump feature is too complex to sum it up in just a few lines
unless those lines are something like "do not use it without fully
understanding it". Once you learn the basics of SSL handshake, which
Squid steps look at what parts of the handshake, and what the essential
difference between peeking and staring is, then SslBump becomes less of
black magic. Without that knowledge, it is a dark mystery.

- peek implies splice which means you can't do content analysis (as
in scan for threats via c-icap modules)

Wrong. Peeking at step1 does not preclude future bumping. Peeking at
step2 precludes future bumping. If you peek at step2, then you have to
splice or terminate at step3.

- stare implies bump which means you can do content analysis

Wrong for similar/symmetrical reasons.

- you don't need to stare, you can just bump

Wrong in many cases -- usually you _do_ need to stare (or peek) at least
at step1, but YMMV.

- you need to stare before bump if you want the clients to accept a
certificate with domain names instead of IP addresses

Misleading. You need to stare or peek to get more information, including
the server domain name. That information comes from either the client or
the server, depending on the step. That information is used to generate
a fake certificate. The more info Squid has, the better it can
fake/mimic the true certificate, but learning more information restricts
the set of ssl_bump actions.

- you can bump first by ACLs and then splice the rest

If you mean that ssl_bump rules may start with "bump" rules and end with
"splice" rules, then this is true, but the reverse is also true, and the
rules may contain a mixture of many actions.

- you can bump after peek but only if you do that at SslBump1

Too vague to be generally useful. You can bump after peeking at step1.
You cannot bump after peeking at step2.

the "Bump All Sites Except Banks" example where the next
phrase contradicts the title by saying that the requests to non-banks
won't be bumped.

Correct! The example, the title, and the warning were written by
different people. One of them is right. If you know how SslBump works,
you know which part is correct. At that time, please feel free to
propose changes to fix the wiki page. Hundreds of folks receive SslBump
help on this mailing list, but only one of them took the pains to
improve the page afterwards (thank you again, Marcus Kool!). Parts of
that page still need a lot of work.

HTH,

Alex.

Vieri

2017-05-28 11:40:31 UTC

Permalink

Hi Alex et al.,

Thank you very much for your analysis and help. I really appreciate it.

Please keep in mind that I'm basically an end-user, a sys-admin. I wish I had the time to study Squid's source code. All I can do for now is read the docs that so many people have kindly published.

In 99% of my use cases, I only need this:

ssl_bump stare all
ssl_bump bump all

However, some sites simply don't behave well when accessed with Squid TPROXY. This is an example I'm reporting regarding access to https://accounts.google.com.

The use case is simple. A client browser successfully connects to https://accounts.google.com and I can see this in the access log (there might be some garbage but I'm posting it all for completeness):

# tail -f /var/log/squid/access.log | grep 10.215.145.8
1495969366.990 90 10.215.145.8 TCP_MISS/302 870 GET https://accounts.google.com/ - ORIGINAL_DST/216.58.201.141 text/html
1495969367.089 91 10.215.145.8 TCP_MISS/302 1206 GET https://accounts.google.com/ManageAccount - ORIGINAL_DST/216.58.201.141 text/html
1495969367.165 165 10.215.145.8 TAG_NONE/200 0 CONNECT 216.58.201.141:443 - ORIGINAL_DST/216.58.201.141 -
1495969367.546 452 10.215.145.8 TCP_MISS/200 254275 GET https://accounts.google.com/ServiceLogin? - ORIGINAL_DST/216.58.201.141 text/html
1495969367.684 99 10.215.145.8 TCP_MISS/200 837 GET https://accounts.google.com/_/common/diagnostics/? - ORIGINAL_DST/216.58.201.141 application/json
1495969367.799 218 10.215.145.8 TAG_NONE/200 0 CONNECT 216.58.201.141:443 - ORIGINAL_DST/216.58.201.141 -
1495969368.341 356 10.215.145.8 TCP_MISS/200 9598 GET https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm,ssIgD,GJkP8c,HUb4Ab,sy3j,DnoIKd,sy1a,sy1g,YKZpNb,sy19,VI9RTb,sy18,sy24,GEsPC/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw - ORIGINAL_DST/172.217.9.227 text/javascript
1495969373.609 249 10.215.145.8 TCP_MISS/200 9598 GET https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm,ssIgD,GJkP8c,HUb4Ab,sy3j,DnoIKd,sy1a,sy1g,YKZpNb,sy19,VI9RTb,sy18,sy24,GEsPC/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw - ORIGINAL_DST/172.217.9.227 text/javascript
1495969393.879 248 10.215.145.8 TCP_MISS/200 9598 GET https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm,ssIgD,GJkP8c,HUb4Ab,sy3j,DnoIKd,sy1a,sy1g,YKZpNb,sy19,VI9RTb,sy18,sy24,GEsPC/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw - ORIGINAL_DST/172.217.9.227 text/javascript
1495969393.940 166 10.215.145.8 TCP_MISS/200 452 GET http://detectportal.firefox.com/success.txt - ORIGINAL_DST/23.219.93.219 text/plain
1495969394.116 225 10.215.145.8 TCP_MISS/200 1261 GET https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw - ORIGINAL_DST/172.217.9.227 text/javascript
1495969394.204 873 10.215.145.8 TAG_NONE/200 0 CONNECT 54.148.190.222:443 - ORIGINAL_DST/54.148.190.222 -
1495969394.724 488 10.215.145.8 TCP_MISS/200 195 POST https://incoming.telemetry.mozilla.org/submit/telemetry/3474d8df-c0c5-454b-916f-20ad7f8cb3f3/main/Firefox/52.0.2/release/20170323105023? - ORIGINAL_DST/54.148.190.222 text/plain
1495969399.355 223 10.215.145.8 TCP_MISS/200 1261 GET https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw - ORIGINAL_DST/172.217.9.227 text/javascript

The client browser successfully renders Google's log-in page where you enter a username. However, it is NOT possible to "click next" and enter a password.
No matter what the user does on that page, nothing is logged in /var/log/squid/access.log.

The cache log reports errors but they are not necessarily related to this client as there are many others actively browsing.

# grep -i error /var/log/squid/cache.log
2017/05/28 12:55:48 kid1| Error negotiating SSL on FD 93: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/2)
2017/05/28 12:55:48 kid1| Error negotiating SSL connection on FD 90: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate (1/0)
2017/05/28 12:55:49 kid1| Error negotiating SSL on FD 143: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:55:50 kid1| Error negotiating SSL on FD 172: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:55:55 kid1| Error negotiating SSL on FD 57: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
2017/05/28 12:55:55 kid1| Error negotiating SSL connection on FD 27: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)
2017/05/28 12:55:58 kid1| Error negotiating SSL on FD 57: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:55:58 kid1| Error negotiating SSL on FD 183: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:00 kid1| Error negotiating SSL on FD 82: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:01 kid1| Error negotiating SSL on FD 82: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:02 kid1| Error negotiating SSL on FD 82: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:02 kid1| Error negotiating SSL on FD 141: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:05 kid1| Error negotiating SSL on FD 81: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:05 kid1| Error negotiating SSL on FD 57: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
2017/05/28 12:56:05 kid1| Error negotiating SSL connection on FD 52: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)
2017/05/28 12:56:06 kid1| Error negotiating SSL on FD 47: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:08 kid1| Error negotiating SSL on FD 47: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:09 kid1| Error negotiating SSL on FD 47: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:11 kid1| Error negotiating SSL on FD 47: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:13 kid1| Error negotiating SSL on FD 38: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:16 kid1| Error negotiating SSL on FD 38: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:16 kid1| Error negotiating SSL on FD 38: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:16 kid1| Error negotiating SSL on FD 38: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:17 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:19 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:20 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:21 kid1| Error negotiating SSL on FD 52: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
2017/05/28 12:56:21 kid1| Error negotiating SSL connection on FD 49: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)
2017/05/28 12:56:21 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:22 kid1| Error negotiating SSL on FD 47: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:22 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:24 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:25 kid1| Error negotiating SSL on FD 17: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:27 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:27 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:30 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:30 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:32 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:34 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:56:35 kid1| Error negotiating SSL on FD 12: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry (1/-1/0)

As I said, if the client browses without Squid TPROXY in the middle, there are no issues and https://accounts.google.com behaves as expected. I haven't read Google's web page source code so I don't know yet which javascript call might be failing, etc.

Is it only me or can this issue be reproduced elsewhere?
Has anyone successfully logged into https://accounts.google.com when using the following config directives in Squid?

ssl_bump stare all
ssl_bump bump all

Anyway, as a workaround I'm willing to splice/tunnel traffic to accounts.google.com *ONLY*, and bump everything else (although I'd prefer to understand why bumping isn't "working" for this site).

I've tried this:

acl GoogleAccounts ssl::server_name accounts.google.com
#acl GoogleAccounts dstdomain accounts.google.com
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice GoogleAccounts
ssl_bump bump all

However, traffic to accounts.google.com is not spliced, it's bumped like the rest.

Can FQDNs be used in ACLs as in the example above even when peeking at step 1?
If I need to peek at step 2 for GoogleAccounts to splice then I take it I won't be able to "bump all" (the rest).
Likewise, If I need to stare at step 2 then I'll never be able to splice GoogleAccounts.

Please let me know if I'm totally off course.

Thanks,

Vieri

Alex Rousskov

2017-05-28 17:54:07 UTC

Permalink

Post by Vieri
Please keep in mind that I'm basically an end-user, a sys-admin. I
wish I had the time to study Squid's source code.

Nobody (certainly not me) has suggested anything that requires studying
Squid source code. If you think that I have, you have misinterpreted
what I have said.

Post by Vieri
The cache log reports errors but they are not necessarily related to
this client as there are many others actively browsing.

I recommend triaging this using a Squid instance isolated from all other
traffic. You are making both your job and the job of those who are
trying to help you more difficult by trying to save a few minutes/hours
that are usually required to set up an isolated test.

Post by Vieri
Anyway, as a workaround I'm willing to splice/tunnel traffic to
accounts.google.com *ONLY*, and bump everything else (although I'd
prefer to understand why bumping isn't "working" for this site).
acl GoogleAccounts ssl::server_name accounts.google.com
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice GoogleAccounts
ssl_bump bump all
However, traffic to accounts.google.com is not spliced, it's bumped like the rest.

You need to figure out why. Two common reasons are SSL-level errors and
http_access denials. Both should be reflected in access.log and
debugging cache.log.

Post by Vieri
Can FQDNs be used in ACLs as in the example above even when peeking at step 1?

Yes. They may not work, but they can be used. They should work if the
request contains TLS SNI. Modern browser requests usually do, but you
can confirm by studying browser-Squid traffic with a tool like Wireshark.

Post by Vieri
If I peek at step 2 then I won't be able to "bump all"

Correct.

Post by Vieri
Likewise, If I need to stare at step 2 then I'll never be able to splice

Correct.

Alex.

Vieri

2017-05-31 21:20:29 UTC

Permalink

________________________________

Post by Alex Rousskov
You need to figure out why. Two common reasons are SSL-level errors and
http_access denials. Both should be reflected in access.log and
debugging cache.log.

I finally found out it was an http_access deny on an ACL match with url_regex.

Thanks Alex.

Vieri