[squid-users] sslbump working with 3.4.9 but not in intercept mode?

Jason Haar Jason_Haar at trimble.com
Mon Nov 10 09:17:17 UTC 2014


Hi there, I've googled about for this but I think most of the squid
intercept stuff refers to 3.2 and I think things have changed since then?

I have squid-3.4.9 running with sslbump, and when I configure my browser
to use it as a proxy, it bumps the certs nicely, signing "fake"
certs/etc. I then added an iptables run to redirect outbound tcp/80 onto
port 3129 (see below) and that transparently proxies all port 80 -
great. I then went through the same exercise with sslbump, but when I
put in an iptables rule to redirect outbound tcp/443 traffic onto 3127,
it doesn't bump - it acts like a TCP forwarder instead. I get a "CONNECT
ip.add.ress:443" log record - no sign of the hostname and no bumping

http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
http_port 3129 transparent
https_port 3127 transparent ssl-bump cert=/etc/squid/squid-CA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL

acl SSL_nonHTTPS_sites dstdom_regex "/etc/squid/SSL_nonHTTPS_sites.txt"
acl SSL_noIntercept_sites dstdom_regex
"/etc/squid/SSL_noIntercept_sites.txt"
ssl_bump none SSL_nonHTTPS_sites
ssl_bump none SSL_noIntercept_sites
ssl_bump server-first all

So these older search-engine pages I came across claimed this should
work with squid, but either I am missing something, or this doesn't work
in 3.4.9?

Thanks

 

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list