Hi Eliezer,
I can tell you that we have come across specific sites that were OK
being bumped in squeeze (which comes with OpenSSL 0.9.8) did not work in
wheezy, which uses 1.0.1.
Here are the example sites we found so far (in the form of acls):
acl nobump dstdomain .cardsonline-commercial.com
acl nobump dstdomain .nwolb.com
acl nobump dstdomain .studentloanrepayment.co.uk
acl nobump dstdomain .shareview.co.uk
acl nobump dstdomain .cahoot.com
acl nobump dstdomain .firstdirect.com
acl nobump dstdomain .nab.com.au
acl nobump dstdomain .rbs.co.uk
I think it's something to do with TLS 1.2 vs SSL3 negotiation. And from
testing with sslclient it seems it decides to ignore quite a lot of
installed CA certs, and sslclient will fail unless I specifically point
to to the CA cert the relevant site uses.
Thanks
Alex
On 11/07/13 21:03, Eliezer Croitoru wrote:
> Hey Alex,
>
> I am unsure about the reason of breakage of these sites since I have
> never used squid SSL-BUMP else then compiling it yet.
> Claiming it's a specific version of OpenSSL is quite a claim.
> If you have tried with another version I would say you can claim it.
>
> I would say that breaking any full duplex protocol is always seems like
> a bad idea to me.
> I have seen other systems that *breaks* and bump ssl connections like
> gmail and other sites.
> And since I have seen other software *results* I would say the reason is
> probably not OpenSSl directly but I cannot prove it yet.
>
> I do hope that you can give examples to sites that do not play well with
> SSLBump so I and others can test it.
> If we test we can try to fix and debug it.
> Please take your time and give a list of sites that can be tested which
> are not banks or money originations to make sure that the root and
> source of the problem with SSL-BUMP is one way or another solvable.
>
> If you can take a sec to file at http://bugs.squid-cache.org/ it will
> help the project a lot.
>
> Thanks,
> Eliezer
>
> On 07/11/2013 10:39 PM, Alex Crow wrote:
>> Hi Eliezer,
>>
>> I build .debs for squeeze, basically copying the debian subdir from the
>> source packages into the extracted archives and adjusting accordingly
>> (ie modifying Changelog and deleteting old patches) I tried wheezy but
>> the OpenSSL 1.0.1 horribly breaks *loads* of sites when using SSLBump.
>>
>> Cheers
>>
>> Alex
>
>>
>>
>> On 11/07/13 20:30, Eliezer Croitoru wrote:
>>> Squid 3.3.7 is out and there was a new leak that was fixed and might
>>> caused the problem you are referring to.
>>>
>>> If you have used my RPM there is an update to 3.3.6 which not includes
>>> the latest patches and a 3.3.7 with all the patches will probably be out
>>> next week since it builds fine.
>>> What version of linux are you using?
>>>
>>> Eliezer
>>>
>>> On 07/11/2013 08:32 PM, Alex Crow wrote:
>>>> Hi all,
>>>>
>>>> I've been running 3.3.5 with NTLM auth an icap service (c-icap with
>>>> clamav) and SSL Bump/Dynamic cert, and I've noticed that the squid3
>>>> process rapidly consumes almost all of my RAM (12G) within just a few
>>>> hours:
>>>>
>>>> 16143 proxy 20 0 8554m 8.2g 5788 S 0 69.6 35:09.43 squid3
>>>>
>>>> My cache_mem is 4GB, and my disk cache is 48GB, which should, according
>>>> to estimates, use between 4.5 and 5.5G. (We only have about 350 users).
>>>>
>>>> We were quite happily using 3.2.11 with the same parameters. Has anyone
>>>> else noticed very high memory usage with Squid 3.3.x in a similar setup?
>>>>
>>>> Thanks
>>>>
>>>> Alex
Received on Thu Jul 11 2013 - 20:43:35 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 12 2013 - 12:00:12 MDT