Re: [squid-users] Centos 6.5 , Squid 3.4.3-1.el6.i386 Transparent HTTPS , SSL_BUMP , HTTPS part not working

From: Rafael Akchurin <rafael.akchurin_at_diladele.com>
Date: Sat, 29 Mar 2014 12:06:57 +0000

Hello Robert,

I had the same error with Firefox only, for me the solution was to patch
gadgets.cc as indicated here
https://github.com/ra-at-diladele-com/qlproxy_external/wiki/Filtering-HTTPS

Raf.

On 3/29/14 12:53 PM, "Robert Becskei" <robert.becskei_at_gmail.com> wrote:

>Hello everyone,
>
> These are the steps I did to install this server (inside vmware
>workstation):
>
>Ifconfig eth0 192.168.186.250
>Ifconfig eth0:0 192.168.201.250
>Ip_forward enabled
>
>1. Install centos 6
>
>2. Upgrade centos 6 (yum upgrade)
>
>3. Disable SeLinux ( I donıt like it)
>
>4. Reboot
>
>5. Enable epel repo
>
>cd /home
>wget
>http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
>rpm ­Uvh epel-release-6.8.noarch.rpm
>
>6. Enable Squid repo
>cd /etc/yum.repos.d
>vi SQUID.repo
>[squid]
>name=Squid repo for CentOS 6
>baseurl=http://www1.ngtech.co.il/rpm/centos/6/i686
>failovermethod=priority
>enabled=1
>gpgcheck=0
>
>7. Yum update
>yum install perl-Crypt-OpenSSL-X509
>yum install squid
>
>8. /usr/lib/squid/ssl_crtd ­c ­s /var/lib/ssl_db
>
>9. Create certificates for SQUID like this
>cd /etc/pki/CA
>cp /etc/pki/tls/openssl.cnf openssl.cnf
>then Iıve edited the openssl.conf like this
>dir = . # Where everything is kept
>certificate = $dir/certs/ca.crt # The CA certificate
>private_key = $dir/private/ca.key # The private key
>
>+ filed in default values for company, site, domain , e-mail address.
>
>
> 10. Created key's like this :
>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout
>private/ca.key -out certs/ca.crt -days 3650
>openssl req -config openssl.cnf -new -nodes -keyout private/home.key -out
>home.csr -days 3650
>openssl ca -config openssl.cnf -policy policy_anything -out certs/home.crt
>-infiles home.csr
>
>11. Copied the files to SQUID folder
>
>/etc/squid/ssl_cert/ca.crt
>/etc/squid/ssl_cert/home.crt
>/etc/squid/ssl_cert/private/home.key
>Cd /etc/squid/ssl_cert/private/
>Cp home.key home.back
>Openssl rsa -in home.bak -out home.key
>
>12. SQUID config
>acl localnet src 192.168.201.0/24
>
>acl SSL_ports port 443
>acl Safe_ports port 80 # http
>acl Safe_ports port 21 # ftp
>acl Safe_ports port 443 # https
>acl Safe_ports port 70 # gopher
>acl Safe_ports port 210 # wais
>acl Safe_ports port 1025-65535 # unregistered ports
>acl Safe_ports port 280 # http-mgmt
>acl Safe_ports port 488 # gss-http
>acl Safe_ports port 591 # filemaker
>acl Safe_ports port 777 # multiling http
>acl CONNECT method CONNECT
>
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>
>http_access allow all
>
>http_port 3130
>
>http_port 3128 intercept
>https_port 3129 intercept ssl-bump generate-host-certificates=on
>dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/home.crt
>key=/etc/squid/ssl_cert/private/home.key
>
>#always_direct allow all
>ssl_bump server-first all
>#sslproxy_cert_error allow all
>#sslproxy_flags DONT_VERIFY_PEER
>
>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>sslcrtd_children 5
>
>coredump_dir /var/spool/squid
>
># Add any of your own refresh_pattern entries above these.
>refresh_pattern ^ftp: 1440 20% 10080
>refresh_pattern ^gopher: 1440 0% 1440
>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>refresh_pattern . 0 20% 4320
>
>
>shutdown_lifetime 1 second
>
>#debug_options ALL,2
>
>
>13. DNS server on this machine (so that proxy.home.lan resolves...)
>/etc/named.conf
>//
>// named.conf
>//
>// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
>// server as a caching only nameserver (as a localhost DNS resolver only).
>//
>// See /usr/share/doc/bind*/sample/ for example named configuration files.
>//
>
>acl mynet {
> 192.168.201.0/24; # test network
> 127.0.0.1; # localhost
> };
>
>options {
> listen-on {
> mynet;
> };
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { mynet; };
> recursion yes;
>
> forward only;
> forwarders {
> 8.8.8.8;
> };
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>};
>
>logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
>};
>
>zone "." IN {
> type hint;
> file "named.ca";
>};
>
>include "/etc/named.rfc1912.zones";
>include "/etc/named.root.key";
>
>#############################################
># home.lan
>#############################################
>
>zone "home.lan" IN {
> type master;
> file "/var/named/home.lan/db.home";
> allow-query {
> mynet;
> };
> };
>
>/var/named/home.lan/db.home
>$ORIGIN home.lan.
>$TTL 86400
>@ IN SOA proxy.home.lan. proxy.home.lan. (
> 2014032801 ; Serial
> 28800 ; Refresh
> 7200 ; Retry
> 604800 ; Expire
> 86400 ; Negative Cache TTL
> )
>@ IN NS proxy.home.lan.
>proxy IN A 192.168.186.250
>
>
>14. Install NTP on this server to sync time properly
>
>15. Configure Windows XP client (fully updated ) to use 192.168.201.250 as
>default gateway and as DNS
>16. Ping proxy.home.lan it resolves, ping www.google.com it resolves
>17. www.google.com I get a warning that the certificate is not trusted
>(but
>only with firefox) do I want to install, I can check certificate
>It is correctly issued by proxy.home.lan for www.google.com .
>18. Install ca.crt into clients root trusted certificates
>19. behold error (and be very frustrated) : Peer's certificate has an
>invalid signature
>
>I tried to re-do my steps, I tried multiple howto's (some were outdated)
>I've tried the irc for squid, but no help. What did I overlook here?
>Why is this not working ?
>
>Oh iptables on server is
>
>iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 80 -j
>DNAT
>--to 192.168.201.250:3128
>iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 --dport 443 -j
>DNAT
>--to 192.168.201.250:3129
>
>There is no error in log file , I have checked certificates are generated
>for the sites I visit in /var/lib/ssl_db
>For example www.grc.com get's a generated certificate even though I am not
>able to access it.
>Only firefox was friendly enough to provide this error above, Internet
>explorer does not display anything at all, regardless if certificate
>Is installed on client or not. (guess they went 100% sure this time with
>certificates to disallow by default)
>
>Thank you for reading this, and please help if you can.
>
>Greetings
>Robert
>
>
>
>
>
>
>
>
>
>
Received on Sat Mar 29 2014 - 12:07:09 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 29 2014 - 12:00:06 MDT