[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

[adam900710]

Hi all,

I tried to build a ssl bumping proxy with up level proxy, but client
failed to connect like the following.

The error:
---
$ curl https://www.google.co.jp -vvvv -k
* Rebuilt URL to: https://www.google.co.jp/
* Trying ::1...
* Connected to localhost (::1) port 3128 (#0)
* Establish HTTP proxy tunnel to www.google.co.jp:443
> CONNECT www.google.co.jp:443 HTTP/1.1
> Host: www.google.co.jp:443
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to www.google.co.jp:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to www.google.co.jp:443
---

My squid.conf:
---
# default acls/configs are ignored
cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
never_direct allow all
ssl_bump peek all
ssl_bump bump all
http_port 3128 ssl-bump \
cert=/etc/squid/ssl/ca.crt \
key=/etc/squid/ssl/ca.key \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB
---

>From the cache_peer port, someone may notice that I'm using privoxy.
That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
or I can't ever access some sites.

Here is some of my experiments:
1) Remove "never_direct"
Then ssl_bump works as expected, but all traffic doesn't goes through
the SOCKS5 proxy. So a lot of sites I can't access.

2) Use local 8118 proxy
That works fine without any problem, but SSL_dump is needed...
So just prove privoxy are working.

Any clue?

Thanks