[squid-users] Issues with ssl-bump in 3.HEAD

From: Mike <mcsnv96_at_afo.net>
Date: Thu, 12 Jun 2014 13:01:08 -0500

I have been racking my brain trying to get this working and each time,
it refuses to connect to secure sites. In the end we need a working
squid proxy for SSL connections within the company network which will
serve over 1000 users (thus the larger 8MB cert cache size). We already
have the insecure HTTP proxy working fine (thus the use of port 3129
below).
Since it will be SSL based, I know it needs https_port (not http_port),
ssl-bump, and intercept (required by ssl-bump). The https_port and
ssl-bump documentation also mentioned the preference for sslflags (which
may or may not be working in 3.HEAD) and cipher.

OS is Scientific Linux 6.5 (based on CentOS) fully up to date with yum.
Server is quad core 3.4GHz, 8GB DDR3 with no other uses (like web
server, etc).
SELinux has been set to permissive mode so it only reports, doesn't
block the needed connections (although I also tested with it disabled
and made no difference).
[root_at_localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted

Essential squid.conf lines (I have tested it with and without the
"sslflags", does not impact it working or not working):

https_port 3129 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
sslflags=DELAYED_AUTH
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost

Local certs have been created and self signed, and the .der cert has
been imported into the test browser (Firefox 30.0).

Squid info (includes the needed '--enable-ssl' '--enable-ssl-crtd'
'--with-openssl'):

[root_at_localhost ~]# squid -v
Squid Cache: Version 3.HEAD-20140127-r13248
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384'
'--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'

In the end testing with only the SSL proxy set to this server via port
3129, it tries loading the secure website for 2-3 minutes and then times
out. Checking "top", it shows squid running at 12.1g VIRT, 2.0g RES,
54.5% of MEM (server has 8GB) and using 100% of CPU2. The
../squid/access.log and cache_access.log shows no new entries at all. We
had to disable the cache.log (cache_log /dev/null) as it continuously
recorded everything and quickly took up all the space on the 80GB hard
drive.

So the question is what is going wrong that it is refusing to let ANY
secure site load and how can we get this resolved?
We greatly appreciate any help on this.

Mike
Received on Thu Jun 12 2014 - 18:01:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 13 2014 - 12:00:06 MDT