Hi Alex,
Thanks for all your help so far!
After further investigation I did find that my squid was indeed not
bumping and spent the weekend rebuilding my setup. What I found was
that I was misinterpreting some of the cache directives, most
importantly https_port. Basically at some point I ended up with
things configured wrong such that I was sending https requests to the
proxy at which point the error message (and google) led me to previous
reply of yours to a mailing list post:
http://www.squid-cache.org/mail-archive/squid-users/201002/0586.html
which set me on the right path. At least I think it did...
I can't use intercept and actually don't want a transparent proxy
since I will require users to authenticate in order to provide
different levels of access based on ldap auth. Fun stuff right?
So I did finally get my config to generate certs using the following:
http_port 192.168.199.254:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/usr/local/etc/squid/ssl_cert/myCA.pem
ssl_bump server-first all
And I do now see entries in my ssl_crt folder on the server but when I
attempt to reach an https site I get this in the browser:
The following error was encountered while trying to retrieve the URL:
https://accounts.google.com/*
Failed to establish a secure connection to 74.125.133.84
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
This proxy and the remote host failed to negotiate a mutually
acceptable security settings for handling your request. It is possible
that the remote host does not support secure connections, or the proxy
is not satisfied with the host security credentials.
Then in cache.log:
2013/04/01 23:26:11 kid1| fwdNegotiateSSL: Error negotiating SSL
connection on FD 19: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(1/-1/0)
But I have imported the certificate in firefox...
Am I missing an all again somewhere ;)
Thanks once again,
Rob
On Thu, Mar 28, 2013 at 6:43 PM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 03/28/2013 04:11 PM, Robert Mason wrote:
>
>> I am seeing GET, POST and CONNECT requests to google in access.log.
>
> Just to make sure we are on the same page, are all of the items below true?
>
> 1. You see a CONNECT request to google.com in access.log.
>
> 2. You see a non-CONNECT request to google.com from the same
> client-Squid connection as CONNECT request in #1 but logged after #1.
>
> 3. You see an origin server certificate _signed_ by Google when looking
> at responses for request in #2.
>
> You can use browser tools like FireBug or %>p logformat code to make
> sure that records in #1 and #2 belong to the same client-Squid connection.
>
> If you see #1 but not #2, then your Squid is not bumping. If you also
> see errors or warnings in cache.log, they may explain why.
>
> If you see #1, #2, and #3, then check again because that combination is
> not possible.
>
>
> Thank you,
>
> Alex.
>
>
>> On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov
>> <rousskov_at_measurement-factory.com> wrote:
>>> On 03/24/2013 01:39 AM, Robert Mason wrote:
>>>> Hi Alex! Thanks for the reply.
>>>>
>>>> It seems to see the CONNECT yes.. but still no joy.
>>>>
>>>> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443
>>>
>>> Good. This means that Squid intercepts HTTPS traffic from the browser.
>>> The next step is to figure out whether Squid bumps those intercepted
>>> connections. Are there non-CONNECT requests for mail.google.com:443 in
>>> access.log?
>>>
>>>
>>>> ssl_bump server-first
>>>
>>> Your ssl_bump directive is missing an ACL. Try adding "all":
>>>
>>> ssl_bump server-first all
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>>
>>>
>>>> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>>>>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I've been trying to setup a system to do ssl interception and dynamic
>>>>>> certificate generation in order to prevent our users from signing in
>>>>>> to their personal gmail accounts (our company mail is through gmail).
>>>>>>
>>>>>> >From the info here
>>>>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>>>>>> that I needed to add a header in the request and have that working:
>>>>>>
>>>>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>>>>>
>>>>>> adds it to every http request which I'm fine with but I need to add it
>>>>>> to https requests and that's not happening.
>>>>>>
>>>>>> I have tried things like:
>>>>>>
>>>>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>>>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>>>>
>>>>>> always_direct allow all
>>>>>> ssl_bump allow all
>>>>>> # the following two options are unsafe and not always necessary:
>>>>>> #sslproxy_cert_error allow all
>>>>>> #sslproxy_flags DONT_VERIFY_PEER
>>>>>>
>>>>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>>>>> /etc/squid/var/lib/ssl_db -M 4MB
>>>>>> sslcrtd_children 5
>>>>>>
>>>>>> No love though.. I still get the regular google cert and don't see
>>>>>> certs in my ssl_db folder.
>>>>>>
>>>>>> If anyone has suggestions to offer I'd really appreciate it.
>>>>>
>>>>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>>>>
>>>>> If it does, are there any errors or warnings in cache.log?
>>>>>
>>>>> Alex.
>>>>>
>>>
>
Received on Tue Apr 02 2013 - 03:40:39 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 02 2013 - 12:00:04 MDT