Re: [squid-users] stopping sslbump to domains with invalid or unsigned certs

From: Amos Jeffries <>
Date: Wed, 21 Dec 2011 13:02:36 +1300

On 21/12/2011 3:34 a.m., Sean Boran wrote:
> Hi,
> sslbump allows me to interrupts ssl connections and run an AV check on them.
> It generates a certs for the target domain (via sslcrtd), so that the
> users browser sees a server cert signed by the proxy.
> If the target domain has a certificate that is expired, or it not
> signed by a recognised CA, its important that the lack of trust is
> communicated to the end user.
> Example, on connecting direct (not via a proxy) to
> the certificated presented is expired 2
> years ago and not signed by known CA .
> Noext on connecting via a sslbump proxy (v3.2.0.14), the proxy creates
> a valid cert for and in the user's browsers it
> looks like has a valid cert signed by the proxy.
> So my question is:
> What ssl_bump settings would allow the proxy to handle such
> destinations with expired or non trusted sites by, for example:
> a) Not bumping the connection but piping it through to the user
> unchanged, so the user browser notices the invalid certs?
> b) Refuses the connection with a message to the user, if the
> destination is not on an allowed ACL of exceptions.

Pretty much. The Measurement Factory has a project underway to fix this
Please contact Alex about sponsoring their work to make it happen
faster, or get access to the experimental code.

> Looking at squid.conf, there is sslproxy_flags, sslproxy_cert_error
> # TAG: sslproxy_flags
> # DONT_VERIFY_PEER Accept certificates that fail verification.
> # NO_DEFAULT_CA Don't use the default CA list built in
> to OpenSSL.
> # TAG: sslproxy_cert_error
> # Use this ACL to bypass server certificate validation errors.
> So, the following config would then implement scenario b) above?
> # Verify destinations: yes, but allow exceptions
> sslproxy_flags DONT_VERIFY_PEER
> #sslproxy_flags none
> # ignore Certs with certain cites
> acl TrustedName url_regex ^
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error deny all
> ==> But then, why does it not throw an error when connecting to
> ?

You configured not to verify, therefore the error is not noticed and
cannot trigger any action.

Why no output is displayed you will have to ask the OpenSSL people.
There are a few places in their API like this where errors are silently
dropped and seemingly no way is provided to check for them externally
(ie from Squid).

Received on Wed Dec 21 2011 - 00:02:41 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 21 2011 - 12:00:03 MST