[squid-users] sslbump working with 3.4.9 but not in intercept mode?

Mon Nov 10 10:02:23 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2014 10:17 p.m., Jason Haar wrote:
> Hi there, I've googled about for this but I think most of the
> squid intercept stuff refers to 3.2 and I think things have changed
> since then?
> 
> I have squid-3.4.9 running with sslbump, and when I configure my
> browser to use it as a proxy, it bumps the certs nicely, signing
> "fake" certs/etc. I then added an iptables run to redirect outbound
> tcp/80 onto port 3129 (see below) and that transparently proxies
> all port 80 - great. I then went through the same exercise with
> sslbump, but when I put in an iptables rule to redirect outbound
> tcp/443 traffic onto 3127, it doesn't bump - it acts like a TCP
> forwarder instead. I get a "CONNECT ip.add.ress:443" log record -
> no sign of the hostname and no bumping

Two critical details:

1) TCP packet headers do not contain hostnames. The "ip.add.ress:443"
you see is the tcp/443 dst-IP field on the intercepted traffic.

2) ssl_bump is a "fast" group ACL test. It does not hold up traffic
waiting for reverse-DNS lookups on the IP:port details. It just tests
the dst-IP against your regex rules and uses the resulting
match/non-match to decide between bumping or forwarding.

> 
> http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert 
> capath=/etc/ssl/certs/ generate-host-certificates=on 
> dynamic_cert_mem_cache_size=256MB options=ALL http_port 3129
> transparent https_port 3127 transparent ssl-bump
> cert=/etc/squid/squid-CA.cert capath=/etc/ssl/certs/
> generate-host-certificates=on dynamic_cert_mem_cache_size=256MB
> options=ALL
> 
> acl SSL_nonHTTPS_sites dstdom_regex
> "/etc/squid/SSL_nonHTTPS_sites.txt" acl SSL_noIntercept_sites
> dstdom_regex "/etc/squid/SSL_noIntercept_sites.txt" ssl_bump none
> SSL_nonHTTPS_sites ssl_bump none SSL_noIntercept_sites ssl_bump
> server-first all
> 
> So these older search-engine pages I came across claimed this
> should work with squid, but either I am missing something, or this
> doesn't work in 3.4.9?

The TCP forwarding behaviour occurs when your "ssl_bump none" rules
match the IP address of the intercepted tcp/443 traffic.

So it comes down to what your regex files contain and what TCP dst-IPs
your Squid is processing. Both of the details you have elided from
your description.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUYI0uAAoJELJo5wb/XPRjgJYIAOGC63EWkAgnxBnUv0nO9mMK
iFmrirjVS6bH0i7tao8meAqEc0npz0h5h/6IFvwt+NVeks0sdq0zFN5624SZKD4M
sb4flKyDZdvnCMl9tVxKnVGQDLZU/wDV2xoEFA+nsIo2mwurn3+5o1YEZ2eCV14T
MXfdt4d7M1L2ReQGL/s12wcNnLLXyHdw1Se4wqZEYOn2+t3H7s6+q2gfe5/pqs8k
KMVfLc3EkaUnCeNduJ/W9sNJ4zb2Oa7m3vpzDjLR2/2c+lt/HfnrurXhZQdx+Tb5
EbBaI1yOrqPOGP7bfsA6kgECy+Qn5rJHXM2Db768DWCEFJSOf7kdopclGjRLhpQ=
=qeWj
-----END PGP SIGNATURE-----