Re: [squid-users] sslBump: unrecognized: 'ssl_bump', unrecognized: 'https_port' from Amos Jeffries on 2010-09-09 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 10 Sep 2010 00:06:55 +1200

On 09/09/10 23:05, Guillaume CHAUVEL wrote:
>> Hi,
>>
>> I want to enable SSL bumping with Squid.
>> This function is disabled in Debian version of Squid (Lenny,
>> Lenny-backports and Squeeze), so I decided to compile Squid from source.
>>
>> Squid version: 3.1.8
>>
>> ./configure --prefix=/usr/local/squid \
>> --enable-inline \
>> --enable-async-io=8 \
>> --enable-storeio="ufs,aufs,diskd" \
>> --enable-removal-policies="lru,heap" \
>> --enable-delay-pools \
>> --enable-cache-digests \
>> --enable-icap-client \
>> --enable-follow-x-forwarded-for \
>> --enable-auth="basic,digest,ntlm,negotiate" \
>>
> .......
>>
>> /usr/local/squid/sbin/squid output:
>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>> squid.conf:1155 unrecognized: 'https_port'
>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>> squid.conf:1156 unrecognized: 'ssl_bump'
>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>> squid.conf:1537 unrecognized: 'ssl_bump'
>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>> squid.conf:5625 unrecognized: 'sslproxy_cert_error'
>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>> squid.conf:5626 unrecognized: 'sslproxy_flags'
>>
>> What am I doing wrong?
>
> ./configure --help | grep ssl
> --enable-ssl Enable ssl gatewaying support using OpenSSL
> --with-openssl{=PATH} Compile with the OpenSSL libraries. The path to the
>
> It looks like '--with-ssl' doesn't work, you should use '--enable-ssl'
>
> also since 3.1.7 "sslBump" is deprecated, you should move to
> "ssl-bump" : http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_7.html
> have a look at ./src/squid.conf.documented line 1045
>
>
>> http_port 8080
>> https_port 8443 sslBump cert=/etc/ssl/certs/certificate.pem
>
> I am quite new to squid but I don't think this is going to do what you
> want judging by your config file without any "cache_peer"
> https_port as stated in the documentation is really only useful when
> running squid as an accelerator. you should use
> "http_port 8080 ssl-bump cert=/etc/ssl/certs/certificate.pem" instead
> and remove https_port

Yes, https_port is a port for receiving "native" SSL connections.

The ssl-bump feature is for converting CONNECT tunnel requests into
normal HTTP traffic. CONNECT is a weird kind of HTTP-over-SSL-over-HTTP
multiple-wrapped request thing. ssl-bump strips away the outer two
layers of wrapping. It only works when browsers etc which are configured
to send their HTTPS via an HTTP proxy.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2

Received on Thu Sep 09 2010 - 12:07:01 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 09 2010 - 12:00:02 MDT