[squid-users] sslBump, squid in transparent mode
Eugene M. Zheganin
emz at norma.perm.ru
Mon Dec 28 18:46:46 UTC 2015
Hi.
I'm still trying to figure out why I get certificate generated for IP
address instead of hostname when the HTTPS traffic is intercepted bu
sllBump-enable squid. I'm using iptables to do this:
rdr on $iifs inet proto tcp from 192.168.0.0/16 to !<rfc1918> port 443
-> 127.0.0.1 port 3131
rdr on vpn inet proto tcp from 192.168.0.0/16 to !<rfc1918> port 443 ->
127.0.0.1 port 3131
and the port is configured as follows:
https_port 127.0.0.1:3131 intercept ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
https_port [::1]:3131 intercept ssl-bump
cert=/usr/local/etc/squid/certs/squid.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
dhparams=/usr/local/etc/squid/certs/dhparam.pem
This way I'm getting a waring in browser (https://youtube.com is opened
in the example below):
===Cut===
youtube.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
The certificate is only valid for 173.194.71.91
(Error code: sec_error_unknown_issuer)
===Cut===
And the tcpdump capture clearly shows that client browser did sent an SNI:
https://gyazo.com/c1ba348fb4ee56c6c30f3e22ff9877f8
I'll apreciate any help.
Thanks.
Eugene.
More information about the squid-users
mailing list