RE: [squid-users] Squid and SSL interception (ssl-bump)

From: Heinrich Hirtzel <heinrichhirtzel99_at_hotmail.com>
Date: Wed, 31 Oct 2012 16:49:37 +0100

Hi Eliezer
 
> what iptables rules have you used?
> also you better use squid 3.2 for ssl-bump.
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 81 -j REDIRECT --to-port 3128
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 443
 
> also you better use squid 3.2 for ssl-bump.
K, will try that. Stay tuned :-)
 
> take a look at:
> http://wiki.squid-cache.org/Features/SslBump
> and
> http://wiki.squid-cache.org/Features/DynamicSslCert
 
I've read through them for at least 10 times (I'm not kidding) and tried various different configurations without finding any solution. Maybe I simply missed something :-/
 
Do I need to compile squid with '--enable-ssl-crtd' or is '--enable-ssl' enough?
 
Regards,
Heinrich

----------------------------------------
> Date: Wed, 31 Oct 2012 17:40:38 +0200
> From: eliezer_at_ngtech.co.il
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid and SSL interception (ssl-bump)
>
> On 10/31/2012 5:33 PM, Heinrich Hirtzel wrote:
> > Hello
> >
> > For a school project I'm trying to intercept SSL connections by using Squid (client -> squid (transparent) -> server).
> > I'm running Squid 3.1.20 on Ubuntu server 12.10 (64 bit) using the following configuration:
> >
> > *************************************
> > http_port 10.0.1.1.:3128 intercept
> > https_port 10.0.1.1.:443 ssl-bump cert=/user/local/squid3/ssl_cert/myCA.pm
> If i remeber right you shoudl use http and not https
>
> >
> > acl our_networks src 10.0.1.0/24
> > http_access allow our_networks
> > forwarded_for off
> > ssl_bump allow all
> > sslproxy_cert_error allow all
> > sslproxy_flags DONT_VERIFY_PEER
> > *************************************
> what iptables rules have you used?
> also you better use squid 3.2 for ssl-bump.
>
> what were you reading about ssl-bump?
>
> take a look at:
> http://wiki.squid-cache.org/Features/SslBump
> and
> http://wiki.squid-cache.org/Features/DynamicSslCert
>
> Regards,
> Eliezer
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> eliezer <at> ngtech.co.il
                                               
Received on Wed Oct 31 2012 - 15:49:44 MDT

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 12:00:05 MDT