[squid-users] Centos 6.5 , Squid 3.4.3-1.el6.i386 Transparent HTTPS , SSL_BUMP , HTTPS part not working

From: Robert Becskei <robert.becskei_at_gmail.com>
Date: Sat, 29 Mar 2014 12:53:38 +0100

Hello everyone,

 These are the steps I did to install this server (inside vmware
workstation):

Ifconfig eth0 192.168.186.250
Ifconfig eth0:0 192.168.201.250
Ip_forward enabled

1. Install centos 6

2. Upgrade centos 6 (yum upgrade)

3. Disable SeLinux ( I don’t like it)

4. Reboot

5. Enable epel repo

cd /home
wget
http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm –Uvh epel-release-6.8.noarch.rpm

6. Enable Squid repo
cd /etc/yum.repos.d
vi SQUID.repo
[squid]
name=Squid repo for CentOS 6
baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686
failovermethod=priority
enabled=1
gpgcheck=0

7. Yum update
yum install perl-Crypt-OpenSSL-X509
yum install squid

8. /usr/lib/squid/ssl_crtd –c –s /var/lib/ssl_db

9. Create certificates for SQUID like this
cd /etc/pki/CA
cp /etc/pki/tls/openssl.cnf openssl.cnf
then I’ve edited the openssl.conf like this
dir             = .                     # Where everything is kept
certificate     = $dir/certs/ca.crt     # The CA certificate
private_key     = $dir/private/ca.key   # The private key

+ filed in default values for company, site, domain , e-mail address.

  10. Created key's like this :
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout
private/ca.key -out certs/ca.crt -days 3650
openssl req -config openssl.cnf -new -nodes -keyout private/home.key -out
home.csr -days 3650
openssl ca -config openssl.cnf -policy policy_anything -out certs/home.crt
-infiles home.csr

11. Copied the files to SQUID folder

/etc/squid/ssl_cert/ca.crt
/etc/squid/ssl_cert/home.crt
/etc/squid/ssl_cert/private/home.key
Cd /etc/squid/ssl_cert/private/
Cp home.key home.back
Openssl rsa -in home.bak -out home.key

12. SQUID config
acl localnet src 192.168.201.0/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow all

http_port 3130

http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/home.crt
key=/etc/squid/ssl_cert/private/home.key

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

shutdown_lifetime 1 second

#debug_options ALL,2

13. DNS server on this machine (so that proxy.home.lan resolves...)
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl mynet {
    192.168.201.0/24; # test network
    127.0.0.1; # localhost
    };

options {
        listen-on {
                mynet;
                };
        listen-on-v6 port 53 { ::1; };
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query { mynet; };
        recursion yes;
        
        forward only;
        forwarders {
            8.8.8.8;
            };

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

#############################################
# home.lan
#############################################

zone "home.lan" IN {
    type master;
    file "/var/named/home.lan/db.home";
    allow-query {
        mynet;
        };
    };

/var/named/home.lan/db.home
$ORIGIN home.lan.
$TTL 86400
@ IN SOA proxy.home.lan. proxy.home.lan. (
    2014032801 ; Serial
    28800 ; Refresh
    7200 ; Retry
    604800 ; Expire
    86400 ; Negative Cache TTL
    )
@ IN NS proxy.home.lan.
proxy IN A 192.168.186.250

14. Install NTP on this server to sync time properly

15. Configure Windows XP client (fully updated ) to use 192.168.201.250 as
default gateway and as DNS
16. Ping proxy.home.lan it resolves, ping www.google.com it resolves
17. www.google.com I get a warning that the certificate is not trusted (but
only with firefox) do I want to install, I can check certificate
It is correctly issued by proxy.home.lan for www.google.com .
18. Install ca.crt into clients root trusted certificates
19. behold error (and be very frustrated) : Peer's certificate has an
invalid signature

I tried to re-do my steps, I tried multiple howto's (some were outdated)
I've tried the irc for squid, but no help. What did I overlook here?
Why is this not working ?

Oh iptables on server is

iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j DNAT
--to 192.168.201.250:3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 443 -j DNAT
--to 192.168.201.250:3129

There is no error in log file , I have checked certificates are generated
for the sites I visit in /var/lib/ssl_db
For example www.grc.com get's a generated certificate even though I am not
able to access it.
Only firefox was friendly enough to provide this error above, Internet
explorer does not display anything at all, regardless if certificate
Is installed on client or not. (guess they went 100% sure this time with
certificates to disallow by default)

Thank you for reading this, and please help if you can.

Greetings
Robert
Received on Sat Mar 29 2014 - 11:54:02 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 30 2014 - 12:00:06 MDT