[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

adam900710 adam900710 at gmail.com
Tue Jul 7 01:12:55 UTC 2015


Some extra clue:

Cache log says:
------
2015/07/07 08:55:54 kid1| Accepting SSL bumped HTTP Socket connections
at local=[::]:3128 remote=[::] FD 23 flags=9
2015/07/07 08:55:55 kid1| storeLateRelease: released 0 objects
2015/07/07 08:55:57 kid1| assertion failed: PeerConnector.cc:116:
"peer->use_ssl"
------

So I tried adding "ssl" at the end of "cache_peer" directive.
And it still fails but with different error, squid error page now.

Google also found some mail archive from Amos, which implies that,
squid doesn't yet support
CONNECT + SSL/TLS cache_peer.
http://squid-web-proxy-cache.1019090.n4.nabble.com/Behind-enemy-lines-squid-behind-proxy-td4668223.html

If so, I think I'd better seek other solutions like use direct_allow
with tsocks/proxychains...

Thanks.

2015-07-07 8:54 GMT+08:00 adam900710 <adam900710 at gmail.com>:
> Tried your config in my environment.
> Although curl can get to the sites through privoxy, just like the log says:
> ------
> 1436230195.213    432 ::1 TCP_TUNNEL/200 4146 CONNECT
> www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 -
> ------
>
> But the certificate got is still the original one, not the fake one:
> ------
> * Server certificate:
> *      subject: C=US; ST=California; L=Mountain View; O=Google Inc;
> CN=www.google.com
> *      start date: 2015-06-18 08:52:56 GMT
> *      expire date: 2015-09-16 00:00:00 GMT
> *      issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
> *      SSL certificate verify ok.
> ------
>
> Does it works only in 3.4?
> Anyway, I'll try to downgrade squid and try it again.
>
> Thanks
>
> 2015-07-06 22:23 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> I use 3.4 version. Yes, this is old directives.
>>
>> 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception
>> environment.
>>
>> 06.07.15 20:21, adam900710 пишет:
>>> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>>>>
>>> My own solution in conjunction with Tor + Privoxy looks like this (Note:
>>> for Squid 3.4.13):
>>>
>>> # Tor acl
>>> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>>>
>>> # SSL bump rules
>>> sslproxy_cert_error allow all
>>> ssl_bump none localhost
>>> ssl_bump none url_nobump
>>> ssl_bump none dst_nobump
>>> ssl_bump server-first net_bump
>>> > This seems to be old config directive.
>>> > New corresponding one shoud be "ssl_bump bump net_bump"
>>>
>>> > And, no "peek" one? Or that's the problem?
>>>
>>> > Thanks.
>>>
>>> # Privoxy+Tor access rules
>>> never_direct allow tor_url
>>> always_direct deny tor_url
>>> always_direct allow all
>>>
>>> # And finally deny all other access to this proxy
>>> http_access deny all
>>>
>>> # Local Privoxy is cache parent
>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>>
>>> cache_peer_access 127.0.0.1 allow tor_url
>>> cache_peer_access 127.0.0.1 deny all
>>>
>>> http_port 3127
>>> http_port 3128 intercept
>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
>>> key=/usr/local/squid/etc/rootCA.key
>>> > I also tried such config.
>>> > With such "http_port" and "http_port intercept" with ssl-bump at last.
>>> > Although curl works under test, the certificate is not the fake one.
>>> > (Issuer is not my fake one)
>>> > So I consider the ssl-bump not working in that case.
>>>
>>> > I'd like to reply when I set it up later to test.
>>>
>>> > Thanks
>>>
>>> sslproxy_capath /etc/opt/csw/ssl/certs
>>> sslproxy_options NO_SSLv2 NO_SSLv3
>>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M
>>> 4MB
>>>
>>> Generally,
>>>
>>> works like charm.
>>>
>>> 06.07.15 15:22, adam900710 пишет:
>>> >>> Hi all,
>>> >>>
>>> >>> I tried to build a ssl bumping proxy with up level proxy, but client
>>> >>> failed to connect like the following.
>>> >>>
>>> >>> The error:
>>> >>> ---
>>> >>> $ curl https://www.google.co.jp -vvvv -k
>>> >>> * Rebuilt URL to: https://www.google.co.jp/
>>> >>> * Trying ::1...
>>> >>> * Connected to localhost (::1) port 3128 (#0)
>>> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443
>>> >>>> CONNECT www.google.co.jp:443 HTTP/1.1
>>> >>>> Host: www.google.co.jp:443
>>> >>>> User-Agent: curl/7.43.0
>>> >>>> Proxy-Connection: Keep-Alive
>>> >>>>
>>> >>> < HTTP/1.1 200 Connection established
>>> >>> <
>>> >>> * Proxy replied OK to CONNECT request
>>> >>> * ALPN, offering http/1.1
>>> >>> * Cipher selection:
>>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>>> >>> * successfully set certificate verify locations:
>>> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt
>>> >>> CApath: none
>>> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>>> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>>> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443
>>> >>> * Closing connection 0
>>> >>> curl: (35) Unknown SSL protocol error in connection to
>>> www.google.co.jp:443
>>> >>> ---
>>> >>>
>>> >>> My squid.conf:
>>> >>> ---
>>> >>> # default acls/configs are ignored
>>> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
>>> >>> never_direct allow all
>>> >>> ssl_bump peek all
>>> >>> ssl_bump bump all
>>> >>> http_port 3128 ssl-bump \
>>> >>> cert=/etc/squid/ssl/ca.crt \
>>> >>> key=/etc/squid/ssl/ca.key \
>>> >>> generate-host-certificates=on \
>>> >>> dynamic_cert_mem_cache_size=4MB
>>> >>> ---
>>> >>>
>>> >>> From the cache_peer port, someone may notice that I'm using privoxy.
>>> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
>>> >>> or I can't ever access some sites.
>>> >>>
>>> >>> Here is some of my experiments:
>>> >>> 1) Remove "never_direct"
>>> >>> Then ssl_bump works as expected, but all traffic doesn't goes through
>>> >>> the SOCKS5 proxy. So a lot of sites I can't access.
>>> >>>
>>> >>> 2) Use local 8118 proxy
>>> >>> That works fine without any problem, but SSL_dump is needed...
>>> >>> So just prove privoxy are working.
>>> >>>
>>> >>> Any clue?
>>> >>>
>>> >>> Thanks
>>> >>> _______________________________________________
>>> >>> squid-users mailing list
>>> >>> squid-users at lists.squid-cache.org
>>> >>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ
>> xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC
>> xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0
>> G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu
>> Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh
>> Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U=
>> =Mt1T
>> -----END PGP SIGNATURE-----
>>


More information about the squid-users mailing list