[squid-users] ssl_bump and SNI
Sergey Pronin
apani at yandex.ru
Thu Mar 5 11:53:13 UTC 2015
Hello guys,
I have a question about bumping and SNI. Is it supported now in squid 3.5?
What do I have:
Debian Linux
squid 3.5.2
Config for SSL transparent interception is the following:
https_port 10.10.115.7:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/squidCA
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump none localhost
ssl_bump peek all
ssl_bump bump all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
With this configuration access log looks like this for HTTPS traffic:
192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT 177.71.251.241:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE
192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT 223.25.233.66:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE
192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT 103.16.26.232:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE
192.168.78.6 - - [05/Mar/2015:13:44:54 +0200] "CONNECT 65.55.163.221:443 HTTP/1.1" 200 895 "-" "-" TCP_TUNNEL:ORIGINAL_DST
Certificates are generated for IP's as well, not CNs.
Clients are redirected via IPtables.
I have tried to modify ssl_bump options:
1)
ssl_bump stare all
2)
ssl_bump peek all
3)
ssl_bump bump all
etc., but still only IPs are shown.
Could you please tell, where it is I'm mistaken?
--
Regards
More information about the squid-users
mailing list