Not sure if it helps but here is an access.log entry for a non-working
sslbump+dynamicssl connection.
1303442234.277 0 192.168.1.107 NONE/000 0 CONNECT
gmail.google.com:443 - HIER_NONE/- -
Regards,
Will
On Wed, Apr 20, 2011 at 9:51 PM, Will Metcalf <william.metcalf_at_gmail.com> wrote:
> SSLBump+DynamicSSL was working for me in squid-3.2.0.5-20110329, I
> built and tried 3.2.0.7 last night and it seems to present the spoofed
> cert to the browser but the page never loads. Can anybody else verify
> this behavior?
>
> ./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
> --mandir=/usr/share/man --with-cppunit-basedir=/usr --enable-inline
> --enable-async-io=8 --enable-storeio="ufs,aufs,diskd"
> --enable-removal-policies="lru,heap" --enable-delay-pools
> --enable-cache-digests --enable-underscores --enable-icap-client
> --enable-follow-x-forwarded-for --enable-arp-acl --enable-esi
> --disable-translation --with-logdir=/var/log/squid3
> --with-pidfile=/var/run/squid3.pid --with-filedescriptors=65536
> --with-large-files --with-default-user=proxy --enable-ssl
> --enable-ssl-crtd --enable-ecap && make && sudo make install
>
>
> #relevant portion of the squid.conf that works with squid-3.2.0.5-20110329
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/will.lan.pem
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/ssl_db -M 4MB
> sslcrtd_children 5
>
> always_direct allow all
> ssl_bump allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
>
Received on Fri Apr 22 2011 - 04:08:13 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 26 2011 - 12:00:03 MDT