[squid-users] Server-first SSL bump in Squid 3.5.x

Dan Charlesworth dan at getbusi.com
Thu Mar 19 05:36:52 UTC 2015

Hey y’all

Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek & Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ...

Using the same SSL Bump config that we used for 3.4, we now seeing this happen:
19/Mar/2015-16:21:32     22 d4:f4:6f:71:90:e6 TCP_DENIED 200 0 CONNECT - server-first - HIER_NONE/- - -

Instead of this:
19/Mar/2015-14:42:04    736 d4:f4:6f:71:90:e6 TCP_MISS 200 96913 GET https://code.jquery.com/jquery-1.11.0.min.js - server-first Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 ORIGINAL_DST/ application/x-javascript -

This request happens in a little splash page which is designed to test if squid’s CA cert is installed on the client and redirect them to some instructions if it’s not. This definitely isn’t happening for all intercepted HTTPS requests, just this (particularly important) one and some others.

SSL Bump config:
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error deny all

sslcrtd_program /usr/bin/squid_ssl_crtd -s /path/to/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

DNAT intercepting port config:
https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/path/to/squid/proxy-cert.cer key=/path/to/squid/proxy-key.key

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150319/dd97a11f/attachment.html>

More information about the squid-users mailing list