Re: [squid-users] unsure of how to use sslBump

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 29 Jul 2008 14:03:31 +1200

Brad Barnett wrote:
>
> Hey all,
>
> I've compiled squid-3.HEAD-20080728.tar.gz, and all seems to be working
> fine in a general respect.
>
> However, I can't seem to get sslBump working. I have squid setup as a
> transparent proxy, and that part is working fine. However, when I add
> the following lines, and use iptables to redirect port 443 traffic to
> squid, generally squid just sits, stalled, forever.

IIRC, sslBump was not designed to allow interception of port 443.
What it does is decrypt HTTPS sent as CONNECT requests through the proxy.

There was some discussion about ways to hack it up to do the
interception. I think there may have been a little more coding needed
for that. You will have to google the archives and find the original
threads on this.

Amos

>
> I turned up the debug log, but didn't even see any cogent information
> indicating that sslbump, or any ssl traffic was being attempted.
>
> Any ideas? Note, while I show 'http_port 3129' below, I also tried using
> port 3128, as per the example on the wiki.
>
> Thanks
>
>
> # configure the HTTP port to bump CONNECT requests
> http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
> key=/usr/local/squid/etc/server.key
>
> # avoid bumping requests to sites that Squid cannot proxy well
> acl broken_sites dstdomain .webax.com
> ssl_bump deny broken_sites
> ssl_bump allow all
>
> # ignore certain certificate errors or
> # ignore errors with certain cites (very dangerous!)
> acl TrustedName url_regex ^https://weserve.badcerts.com/
> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error allow BogusError
> sslproxy_cert_error deny all

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE8
Received on Tue Jul 29 2008 - 02:03:33 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 29 2008 - 12:00:04 MDT