Re: [squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown

From: Robert Mason <>
Date: Mon, 1 Apr 2013 23:40:28 -0400

Hi Alex,

Thanks for all your help so far!

After further investigation I did find that my squid was indeed not
bumping and spent the weekend rebuilding my setup. What I found was
that I was misinterpreting some of the cache directives, most
importantly https_port. Basically at some point I ended up with
things configured wrong such that I was sending https requests to the
proxy at which point the error message (and google) led me to previous
reply of yours to a mailing list post:

which set me on the right path. At least I think it did...

I can't use intercept and actually don't want a transparent proxy
since I will require users to authenticate in order to provide
different levels of access based on ldap auth. Fun stuff right?

So I did finally get my config to generate certs using the following:

http_port ssl-bump generate-host-certificates=on

ssl_bump server-first all

And I do now see entries in my ssl_crt folder on the server but when I
attempt to reach an https site I get this in the browser:

The following error was encountered while trying to retrieve the URL:*

Failed to establish a secure connection to

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

This proxy and the remote host failed to negotiate a mutually
acceptable security settings for handling your request. It is possible
that the remote host does not support secure connections, or the proxy
is not satisfied with the host security credentials.

Then in cache.log:

2013/04/01 23:26:11 kid1| fwdNegotiateSSL: Error negotiating SSL
connection on FD 19: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

But I have imported the certificate in firefox...

Am I missing an all again somewhere ;)

Thanks once again,

On Thu, Mar 28, 2013 at 6:43 PM, Alex Rousskov
<> wrote:
> On 03/28/2013 04:11 PM, Robert Mason wrote:
>> I am seeing GET, POST and CONNECT requests to google in access.log.
> Just to make sure we are on the same page, are all of the items below true?
> 1. You see a CONNECT request to in access.log.
> 2. You see a non-CONNECT request to from the same
> client-Squid connection as CONNECT request in #1 but logged after #1.
> 3. You see an origin server certificate _signed_ by Google when looking
> at responses for request in #2.
> You can use browser tools like FireBug or %>p logformat code to make
> sure that records in #1 and #2 belong to the same client-Squid connection.
> If you see #1 but not #2, then your Squid is not bumping. If you also
> see errors or warnings in cache.log, they may explain why.
> If you see #1, #2, and #3, then check again because that combination is
> not possible.
> Thank you,
> Alex.
>> On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov
>> <> wrote:
>>> On 03/24/2013 01:39 AM, Robert Mason wrote:
>>>> Hi Alex! Thanks for the reply.
>>>> It seems to see the CONNECT yes.. but still no joy.
>>>> TCP_MISS/200 114940 CONNECT
>>> Good. This means that Squid intercepts HTTPS traffic from the browser.
>>> The next step is to figure out whether Squid bumps those intercepted
>>> connections. Are there non-CONNECT requests for in
>>> access.log?
>>>> ssl_bump server-first
>>> Your ssl_bump directive is missing an ACL. Try adding "all":
>>> ssl_bump server-first all
>>> HTH,
>>> Alex.
>>>> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>>>>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>>>>> Hi all,
>>>>>> I've been trying to setup a system to do ssl interception and dynamic
>>>>>> certificate generation in order to prevent our users from signing in
>>>>>> to their personal gmail accounts (our company mail is through gmail).
>>>>>> >From the info here
>>>>>> I found
>>>>>> that I needed to add a header in the request and have that working:
>>>>>> request_header_add X-GoogApps-Allowed-Domains all
>>>>>> adds it to every http request which I'm fine with but I need to add it
>>>>>> to https requests and that's not happening.
>>>>>> I have tried things like:
>>>>>> http_port ssl-bump generate-host-certificates=on
>>>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>>>> always_direct allow all
>>>>>> ssl_bump allow all
>>>>>> # the following two options are unsafe and not always necessary:
>>>>>> #sslproxy_cert_error allow all
>>>>>> #sslproxy_flags DONT_VERIFY_PEER
>>>>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>>>>> /etc/squid/var/lib/ssl_db -M 4MB
>>>>>> sslcrtd_children 5
>>>>>> No love though.. I still get the regular google cert and don't see
>>>>>> certs in my ssl_db folder.
>>>>>> If anyone has suggestions to offer I'd really appreciate it.
>>>>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>>>> If it does, are there any errors or warnings in cache.log?
>>>>> Alex.
Received on Tue Apr 02 2013 - 03:40:39 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 02 2013 - 12:00:04 MDT