[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

maple maple.feng.wang at hotmail.com
Sun Nov 8 13:40:09 UTC 2015

hi Amos,

first of all, thanks very much for your specified answer. and about your
1) are you the sysadmin for that network? 
there are actually three networks involved: internal net(I'm fully in charge
of this) <--->lab network(jump server located, I'm using it to set up ssh
tunnel from office, I'm just a user in this net) <---> office network(http
proxy located, I'm just a user)
2) and why is there a full separation like that? 
as I said above, lab network is almost completely separated from others,
only provide a jump server which allow office network to access with ssh, so
if i want my internal net located in lab to access internet, the only way is
to use ssh tunnel to visit http proxy in office range. this is the reason I
set up like this, I may contact sysadmin to give some way to access internet
from lab directly which can bypass the ssh tunnel way, but upstream proxy is
necessary for policy reason.

I went through solution suggested by you, just confirm in case I don't
understand it in right way:

client <---https---> second squid <---proxychains---> first squid <---ssh
tunnel---> http proxy <--http/https--> internet

for first squid("configured with a cache_peer using an IP:port, and also
using the "ssl" option):
http_port 3128 intercept
cache_peer parent 12345 0 no-query no-digest default
never_direct allow all 
sslproxy_flags DONT_VERIFY_PEER

I'm not sure what's exact "ssl"option, but it should not be ssl_bump, right?
it's appreciated if you can specify it.

for second squid(have a https_port to receive the traffic. No special mode
flags are needed here):
https_port 3129 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squid.crt
ssl_bump peek all 
ssl_bump bump all 
always_direct allow all 

I'm not setting "intercept for https_port" since you said no special mode
flags are needed

for proxychains:
http  first_squid 3128

proxychains second_squid -f conf_file

that's aligned with what you suggest? thanks again for your great support.

best regards.

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-with-cache-peer-problem-Handshake-fail-after-Client-Hello-tp4672064p4674435.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list