[squid-users] Server-first SSL bump in Squid 3.5.x
dan at getbusi.com
Thu Mar 19 05:36:52 UTC 2015
Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek & Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ...
Using the same SSL Bump config that we used for 3.4, we now seeing this happen:
19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 CONNECT 184.108.40.206:443 - server-first - HIER_NONE/- - -
Instead of this:
This request happens in a little splash page which is designed to test if squid’s CA cert is installed on the client and redirect them to some instructions if it’s not. This definitely isn’t happening for all intercepted HTTPS requests, just this (particularly important) one and some others.
SSL Bump config:
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error deny all
sslcrtd_program /usr/bin/squid_ssl_crtd -s /path/to/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
DNAT intercepting port config:
https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/path/to/squid/proxy-cert.cer key=/path/to/squid/proxy-key.key
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users