[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.
Yuri Voinov
yvoinov at gmail.com
Mon Jul 6 14:05:53 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
My own solution in conjunction with Tor + Privoxy looks like this (Note:
for Squid 3.4.13):
# Tor acl
acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
# SSL bump rules
sslproxy_cert_error allow all
ssl_bump none localhost
ssl_bump none url_nobump
ssl_bump none dst_nobump
ssl_bump server-first net_bump
# Privoxy+Tor access rules
never_direct allow tor_url
always_direct deny tor_url
always_direct allow all
# And finally deny all other access to this proxy
http_access deny all
# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all
http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key
sslproxy_capath /etc/opt/csw/ssl/certs
sslproxy_options NO_SSLv2 NO_SSLv3
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
Generally,
works like charm.
06.07.15 15:22, adam900710 пишет:
> Hi all,
>
> I tried to build a ssl bumping proxy with up level proxy, but client
> failed to connect like the following.
>
> The error:
> ---
> $ curl https://www.google.co.jp -vvvv -k
> * Rebuilt URL to: https://www.google.co.jp/
> * Trying ::1...
> * Connected to localhost (::1) port 3128 (#0)
> * Establish HTTP proxy tunnel to www.google.co.jp:443
>> CONNECT www.google.co.jp:443 HTTP/1.1
>> Host: www.google.co.jp:443
>> User-Agent: curl/7.43.0
>> Proxy-Connection: Keep-Alive
>>
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * ALPN, offering http/1.1
> * Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to www.google.co.jp:443
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to
www.google.co.jp:443
> ---
>
> My squid.conf:
> ---
> # default acls/configs are ignored
> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
> never_direct allow all
> ssl_bump peek all
> ssl_bump bump all
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl/ca.crt \
> key=/etc/squid/ssl/ca.key \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB
> ---
>
> From the cache_peer port, someone may notice that I'm using privoxy.
> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
> or I can't ever access some sites.
>
> Here is some of my experiments:
> 1) Remove "never_direct"
> Then ssl_bump works as expected, but all traffic doesn't goes through
> the SOCKS5 proxy. So a lot of sites I can't access.
>
> 2) Use local 8118 proxy
> That works fine without any problem, but SSL_dump is needed...
> So just prove privoxy are working.
>
> Any clue?
>
> Thanks
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVmotBAAoJENNXIZxhPexG0PQIAJ0Cy3o/diVtZsCYPTZ5At8K
RuP3wHjahKhXj3xZjLiE+QKWvfr1ehZNWSj4wHF616ciX2w23QbghqNIBbV7Awpl
7JrTIv3L2nR/19uWgmr2FnhCKf2gSeC9j9Za0aBPAv3PoPwkMNmLbdlwq3mG8pey
6Tk8Tsh8+BlfUYXNgO+x/05eyLx6k4ZRV7009E7U3akt5ye+d8vcYXSfwL8+O+ni
JReTJ2CwXSakb+Olti+ZTJvJWxI49Szdc3FrAyh7cTe2Bgo8hDTyW9Pj5WNvINYG
+LQZUqOBF/YWtvpXbVVWAcJxYyzTGJJE/1+TtfIFEDsULTe4G74wCqsPu5VanM0=
=TEp1
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list