[squid-users] sslBump, squid in transparent mode
Eugene M. Zheganin
emz at norma.perm.ru
Mon Dec 28 18:46:46 UTC 2015
I'm still trying to figure out why I get certificate generated for IP
address instead of hostname when the HTTPS traffic is intercepted bu
sllBump-enable squid. I'm using iptables to do this:
rdr on $iifs inet proto tcp from 192.168.0.0/16 to !<rfc1918> port 443
-> 127.0.0.1 port 3131
rdr on vpn inet proto tcp from 192.168.0.0/16 to !<rfc1918> port 443 ->
127.0.0.1 port 3131
and the port is configured as follows:
https_port 127.0.0.1:3131 intercept ssl-bump
https_port [::1]:3131 intercept ssl-bump
This way I'm getting a waring in browser (https://youtube.com is opened
in the example below):
youtube.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
The certificate is only valid for 188.8.131.52
(Error code: sec_error_unknown_issuer)
And the tcpdump capture clearly shows that client browser did sent an SNI:
I'll apreciate any help.
More information about the squid-users