[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Yuri Voinov yvoinov at gmail.com
Mon Jul 6 14:23:21 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
I use 3.4 version. Yes, this is old directives.

3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception
environment.

06.07.15 20:21, adam900710 пишет:
> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>>
> My own solution in conjunction with Tor + Privoxy looks like this (Note:
> for Squid 3.4.13):
>
> # Tor acl
> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>
> # SSL bump rules
> sslproxy_cert_error allow all
> ssl_bump none localhost
> ssl_bump none url_nobump
> ssl_bump none dst_nobump
> ssl_bump server-first net_bump
> > This seems to be old config directive.
> > New corresponding one shoud be "ssl_bump bump net_bump"
>
> > And, no "peek" one? Or that's the problem?
>
> > Thanks.
>
> # Privoxy+Tor access rules
> never_direct allow tor_url
> always_direct deny tor_url
> always_direct allow all
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> http_port 3127
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
> key=/usr/local/squid/etc/rootCA.key
> > I also tried such config.
> > With such "http_port" and "http_port intercept" with ssl-bump at last.
> > Although curl works under test, the certificate is not the fake one.
> > (Issuer is not my fake one)
> > So I consider the ssl-bump not working in that case.
>
> > I'd like to reply when I set it up later to test.
>
> > Thanks
>
> sslproxy_capath /etc/opt/csw/ssl/certs
> sslproxy_options NO_SSLv2 NO_SSLv3
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db
-M 4MB
>
> Generally,
>
> works like charm.
>
> 06.07.15 15:22, adam900710 пишет:
> >>> Hi all,
> >>>
> >>> I tried to build a ssl bumping proxy with up level proxy, but client
> >>> failed to connect like the following.
> >>>
> >>> The error:
> >>> ---
> >>> $ curl https://www.google.co.jp -vvvv -k
> >>> * Rebuilt URL to: https://www.google.co.jp/
> >>> * Trying ::1...
> >>> * Connected to localhost (::1) port 3128 (#0)
> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443
> >>>> CONNECT www.google.co.jp:443 HTTP/1.1
> >>>> Host: www.google.co.jp:443
> >>>> User-Agent: curl/7.43.0
> >>>> Proxy-Connection: Keep-Alive
> >>>>
> >>> < HTTP/1.1 200 Connection established
> >>> <
> >>> * Proxy replied OK to CONNECT request
> >>> * ALPN, offering http/1.1
> >>> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> >>> * successfully set certificate verify locations:
> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt
> >>> CApath: none
> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443
> >>> * Closing connection 0
> >>> curl: (35) Unknown SSL protocol error in connection to
> www.google.co.jp:443
> >>> ---
> >>>
> >>> My squid.conf:
> >>> ---
> >>> # default acls/configs are ignored
> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
> >>> never_direct allow all
> >>> ssl_bump peek all
> >>> ssl_bump bump all
> >>> http_port 3128 ssl-bump \
> >>> cert=/etc/squid/ssl/ca.crt \
> >>> key=/etc/squid/ssl/ca.key \
> >>> generate-host-certificates=on \
> >>> dynamic_cert_mem_cache_size=4MB
> >>> ---
> >>>
> >>> From the cache_peer port, someone may notice that I'm using privoxy.
> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
> >>> or I can't ever access some sites.
> >>>
> >>> Here is some of my experiments:
> >>> 1) Remove "never_direct"
> >>> Then ssl_bump works as expected, but all traffic doesn't goes through
> >>> the SOCKS5 proxy. So a lot of sites I can't access.
> >>>
> >>> 2) Use local 8118 proxy
> >>> That works fine without any problem, but SSL_dump is needed...
> >>> So just prove privoxy are working.
> >>>
> >>> Any clue?
> >>>
> >>> Thanks
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ
xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC
xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0
G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu
Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh
Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U=
=Mt1T
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150706/60c588c6/attachment.html>

More information about the squid-users mailing list