[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

adam900710 adam900710 at gmail.com
Mon Jul 6 14:11:13 UTC 2015 

Great thanks,I'll try it later.

Thanks
2015年7月6日 22:06于 "Yuri Voinov" <yvoinov at gmail.com>写道:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> My own solution in conjunction with Tor + Privoxy looks like this (Note:
> for Squid 3.4.13):
>
> # Tor acl
> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>
> # SSL bump rules
> sslproxy_cert_error allow all
> ssl_bump none localhost
> ssl_bump none url_nobump
> ssl_bump none dst_nobump
> ssl_bump server-first net_bump
>
> # Privoxy+Tor access rules
> never_direct allow tor_url
> always_direct deny tor_url
> always_direct allow all
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> http_port 3127
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
> key=/usr/local/squid/etc/rootCA.key
> sslproxy_capath /etc/opt/csw/ssl/certs
> sslproxy_options NO_SSLv2 NO_SSLv3
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> Generally,
>
> works like charm.
>
> 06.07.15 15:22, adam900710 пишет:
> > Hi all,
> >
> > I tried to build a ssl bumping proxy with up level proxy, but client
> > failed to connect like the following.
> >
> > The error:
> > ---
> > $ curl https://www.google.co.jp -vvvv -k
> > * Rebuilt URL to: https://www.google.co.jp/
> > * Trying ::1...
> > * Connected to localhost (::1) port 3128 (#0)
> > * Establish HTTP proxy tunnel to www.google.co.jp:443
> >> CONNECT www.google.co.jp:443 HTTP/1.1
> >> Host: www.google.co.jp:443
> >> User-Agent: curl/7.43.0
> >> Proxy-Connection: Keep-Alive
> >>
> > < HTTP/1.1 200 Connection established
> > <
> > * Proxy replied OK to CONNECT request
> > * ALPN, offering http/1.1
> > * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> > * successfully set certificate verify locations:
> > * CAfile: /etc/ssl/certs/ca-certificates.crt
> > CApath: none
> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> > * Unknown SSL protocol error in connection to www.google.co.jp:443
> > * Closing connection 0
> > curl: (35) Unknown SSL protocol error in connection to
> www.google.co.jp:443
> > ---
> >
> > My squid.conf:
> > ---
> > # default acls/configs are ignored
> > cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
> > never_direct allow all
> > ssl_bump peek all
> > ssl_bump bump all
> > http_port 3128 ssl-bump \
> > cert=/etc/squid/ssl/ca.crt \
> > key=/etc/squid/ssl/ca.key \
> > generate-host-certificates=on \
> > dynamic_cert_mem_cache_size=4MB
> > ---
> >
> > From the cache_peer port, someone may notice that I'm using privoxy.
> > That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
> > or I can't ever access some sites.
> >
> > Here is some of my experiments:
> > 1) Remove "never_direct"
> > Then ssl_bump works as expected, but all traffic doesn't goes through
> > the SOCKS5 proxy. So a lot of sites I can't access.
> >
> > 2) Use local 8118 proxy
> > That works fine without any problem, but SSL_dump is needed...
> > So just prove privoxy are working.
> >
> > Any clue?
> >
> > Thanks
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVmotBAAoJENNXIZxhPexG0PQIAJ0Cy3o/diVtZsCYPTZ5At8K
> RuP3wHjahKhXj3xZjLiE+QKWvfr1ehZNWSj4wHF616ciX2w23QbghqNIBbV7Awpl
> 7JrTIv3L2nR/19uWgmr2FnhCKf2gSeC9j9Za0aBPAv3PoPwkMNmLbdlwq3mG8pey
> 6Tk8Tsh8+BlfUYXNgO+x/05eyLx6k4ZRV7009E7U3akt5ye+d8vcYXSfwL8+O+ni
> JReTJ2CwXSakb+Olti+ZTJvJWxI49Szdc3FrAyh7cTe2Bgo8hDTyW9Pj5WNvINYG
> +LQZUqOBF/YWtvpXbVVWAcJxYyzTGJJE/1+TtfIFEDsULTe4G74wCqsPu5VanM0=
> =TEp1
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150706/c0b9acfd/attachment.html>

More information about the squid-users mailing list