[squid-users] https could not access with ssl bump in squid 3.4

From: Jerry OELoo <oyljerry_at_gmail.com>
Date: Wed, 26 Feb 2014 11:15:58 +0800

Hi All:
I am new to Squid, I want to try its SSL Bump, Please kindly check as
below. Thanks in advance.

Network topology:

A, client, Windows7, IP: 10.64.12.100,
B, Proxy server, Ubuntu, running Squid, IP: 10.64.12.101

A and B in the same LAN, and B can access internet, I want to A's
Chrome browser access internet via B as Proxy,

1) When I config chrome's HTTP/HTTPS proxy to 10.64.12.101:3128 in
squid.conf file (all A's traffic go to B's squid http_port), it is OK,
Chrome browser can open web page success.

HTTP Proxy, 10.64.12.101, port 3128
HTTPS Proxy, 10.64.12.101, port 3128

squid.conf:
------------------------------------------------------------------------------------------------------------------------------------
# Squid normally listens to port 3128
http_port 3128
------------------------------------------------------------------------------------------------------------------------------------

Questions:
2) When I add https_port into squid.conf as below, and config Chrome's
proxy setting as below, Chrome could not access any HTTPS web site,
and Chrome display "No data received", and from squid cache.log, it
shows many times.

kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=10.64.12.101:3130 remote=10.64.12.100:32843 FD 12 flags=33: (92)
Protocol not available

HTTP Proxy, 10.64.12.101, port 3128
HTTPS Proxy, 10.64.12.101, port 3130

squid.conf:
------------------------------------------------------------------------------------------------------------------------------------
# Squid normally listens to port 3128
http_port 3128

# Https Port
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/usr/local/etc/squidcert/certs/proxyCert.pem
key=/usr/local/etc/squidcert/private/proxyKey.pem

ssl_bump server-first all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

sslproxy_flags DONT_VERIFY_PEER
always_direct allow all
sslproxy_cert_error allow all
------------------------------------------------------------------------------------------------------------------------------------

-- 
Rejoice,I Desire!
Received on Wed Feb 26 2014 - 03:22:35 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 27 2014 - 12:00:07 MST