[squid-users] ssl_bump and SNI

Yuri Voinov yvoinov at gmail.com
Thu Mar 5 13:18:59 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Transparent interception in 3.5 still not completely supports SNI.
Only in 3.4.x branch.

And yes - you do it wrong in your config:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

05.03.15 17:53, Sergey Pronin пишет:
> Hello guys,
> 
> I have a question about bumping and SNI. Is it supported now in
> squid 3.5?
> 
> What do I have: Debian Linux squid 3.5.2
> 
> Config for SSL transparent interception is the following:
> 
> https_port 10.10.115.7:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid3/squidCA always_direct allow all 
> sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER 
> ssl_bump none localhost ssl_bump peek all ssl_bump bump all
> 
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB 
> sslcrtd_children 5
> 
> With this configuration access log looks like this for HTTPS
> traffic:
> 
> 192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT
> 177.71.251.241:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE 
> 192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT
> 223.25.233.66:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE 
> 192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT
> 103.16.26.232:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE 
> 192.168.78.6 - - [05/Mar/2015:13:44:54 +0200] "CONNECT
> 65.55.163.221:443 HTTP/1.1" 200 895 "-" "-"
> TCP_TUNNEL:ORIGINAL_DST
> 
> Certificates are generated for IP's as well, not CNs. Clients are
> redirected via IPtables.
> 
> I have tried to modify ssl_bump options:
> 
> 1) ssl_bump stare all 2) ssl_bump peek all 3) ssl_bump bump all
> 
> etc., but still only IPs are shown.
> 
> Could you please tell, where it is I'm mistaken?
> 
> -- Regards _______________________________________________ 
> squid-users mailing list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU+FfDAAoJENNXIZxhPexGLmMH/3MjjYeePFyclBUoiGUtDzni
H2FIyG094emo3q+kLFEHPdBgd923WdCpieG68E+8JThEuXtaYM7p4yp58kFfS4d1
1DZ4sWOwIesWWDq24fUpix8sBnQEmLQ8bMfLuwB5dyqmxQUaIhJuFkb3AmbTDR3y
kxZj71RPsajuKjDhLFWOoK6PNNwf0jITlXYck/TQDYZR0icsihlIHKNN+XqhaLBR
oASarWj9WorXT3LrEBzD+Q9EKtAI4FgPFh1L++oKT1K6Cnbst9KkRlDLDVvqE7Jl
Pa8VJvFTvkHN1Lm1Uhz1308h0AWIV9VCAXwYABywMVeKO0wkwp9vibNNcxjyhvU=
=zWC0
-----END PGP SIGNATURE-----

More information about the squid-users mailing list