Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A

On 10/18/2013 04:59 AM, Larry Zhao wrote:
> Hi, Eliezer,
>
> Yes, my problem to solve is only to proxy to this specific host, no
> other subdomains need considering.
Well it depends...
If you want to intercept only one DOMAIN or one tree of domains you need
to issue different certificates or a mimic of a certificate.
Also you need the clients to accept certificates from you own server.

It's not that simple just note that..

>
> And to be honest, I am new to this part, from what I could get from
> the page you mentioned, I need to use ssl-bump? Am I right?
If you have one combined key\pem file of both the private key and the
certificate you can use only the cert part..

take a small peak at:
https://workaround.org/certificate-authority

I will continue with it later.

Eliezer
> --
>
> Cheers ~
>
> Larry
>
>
> On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
>> Hey,
>>
>> Only to this specific host or also all the subdomains etc..
>> It differs a bit..
>> A small look at this wiki:
>> http://wiki.squid-cache.org/Features/MimicSslServerCert
>>
>> Will calrify some doubts and situations which you will might see some
>> problem.
>>
>> Eliezer
>>
>>
>> On 10/17/2013 06:44 PM, Larry Zhao wrote:
>>>
>>> Hi, Guys,
>>>
>>>
>>> I am trying to setup a SSL proxy for one of my internal servers to
>>> visit `https://www.googleapis.com` using Squid, to make my Rails
>>> application on that server to reach `googleapis.com` via the proxy.
>>>
>>>
>>> I am new to this, so my approach is to setup a SSL transparent proxy
>>> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of
>>> ssl key and crt, and configure squid like this:
>>>
>>>
>>> http_port 443 transparent cert=/home/larry/ssl/server.csr
>>> key=/home/larry/ssl/server.key
>>>
>>>
>>> And leaves almost all other configurations default. The authorization
>>> of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy 4096
>>> Oct 17 15:45 ssl`
>>>
>>>
>>> Back on my dev laptop, I put `<proxy-server-ip> www.googleapis.com` in
>>> my `/etc/hosts` to make the call goes to my proxy server.
>>>
>>>
>>> But when I try it in my rails application, I got:
>>>
>>>
>>> SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A:
>>> unknown protocol
>>>
>>>
>>> And I also tried with openssl in cli:
>>>
>>>
>>> openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1
>>> | grep "^SSL"
>>>
>>> SSL_connect:before/connect initialization
>>>
>>> SSL_connect:SSLv2/v3 write client hello A
>>>
>>> SSL_connect:error in SSLv2/v3 read server hello A
>>>
>>> SSL_connect:error in SSLv2/v3 read server hello A
>>>
>>>
>>>
>>> Where did I do wrong?
>>>
>>> --
>>>
>>> Cheers ~
>>>
>>> Larry
>>>
>>
Received on Fri Oct 18 2013 - 04:09:24 MDT