[squid-users] Squid + SSL bump: not able to read payload in ICAP

Hello,

I have squid 3.2 set up with SSL bumping and ICAP configured for reqmod and
respmod. From my ICAP client I am able to see the the request line (or
status line for REQMOD) and the HTTP headers. However, for HTTPS, I am
unable to see the payload in plain text. Basically when I try to read the
payload from ICAP, it looks like garbage. It is as if squid is serving me
the HTTP payload undecrypted. Is this supposed to happen? Is there perhaps a
bug in my setup? Here is what my squid.conf looks like:

http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/etc/squid3/ssl/private.pem
cert=/etc/squid3/ssl/public.pem
always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
icap_enable on
icap_preview_enable off
icap_service service_req reqmod_precache 1 icap://127.0.0.1:13440/archangel
adaptation_access service_req allow all
icap_service service_res respmod_precache 1 icap://127.0.0.1:13440/archangel
adaptation_access service_res allow all

I have generated my own certificates with openssl. Mind you, if I print out
the body for a normal, unencrypted HTTP request, it prints just fine in
plain text. It is for HTTPS that I get the garbage characters. I know that
the payload is not simply binary data because if I print the headers it says
"content-type: text/html" and this is happening for /all/ HTTPS websites
like https://www.google.com/ and others. I need to be able to read the
unencrypted payload in order for my ICAP service to work correctly.

Thanks,
-Justin

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-SSL-bump-not-able-to-read-payload-in-ICAP-tp4666859.html
Sent from the Squid - Users mailing list archive at Nabble.com.