[squid-users] sslBump and intercept

Thu Nov 12 12:48:38 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

More probably this is bug http://bugs.squid-cache.org/show_bug.cgi?id=4188.

12.11.15 18:04, Steve Hill пишет:
> On 12/11/15 09:04, Eugene M. Zheganin wrote:
>
>> I decided to intercept the HTTPS traffic on my production squids from
>> proxy-unware clients to be able to tell them there's a proxy and they
>> should configure one.
>> So I'm doing it like (the process of forwarding using FreeBSD pf is not
>> shown here):
>>
>> ===Cut===
>> acl unauthorized proxy_auth stringthatwillnevermatch
>> acl step1 at_step sslBump1
>>
>> https_port 127.0.0.1:3131 intercept ssl-bump
>> cert=/usr/local/etc/squid/certs/squid.cert.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> dhparams=/usr/local/etc/squid/certs/dhparam.pem
>> https_port [::1]:3131 intercept ssl-bump
>> cert=/usr/local/etc/squid/certs/squid.cert.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> dhparams=/usr/local/etc/squid/certs/dhparam.pem
>>
>> ssl_bump peek step1
>> ssl_bump bump unauthorized
>> ssl_bump splice all
>> ===Cut===
>>
>> Almost everything works, except that squid for some reason is generating
>> certificates in this case for IP addresses, not names, so the browser
>> shows a warning abount certificate being valid only for IP, and not name.
>
> proxy_auth won't work on intercepted traffic and will therefore always
return false, so as far as I can see you're always going to peek and
then splice.  i.e. you're never going to bump, so squid should never be
generating a forged certificate.
>
> You say that Squid _is_ generating a forged certificate, so something
else is going on to cause it to do that.  My first guess is that Squid
is generating some kind of error page due to some http_access rules
which you haven't listed, and is therefore bumping.
>
> Two possibilities spring to mind for the certificate being for the IP
address rather than for the name:
> 1. The browser isn't bothering to include an SNI in the SSL handshake
(use wireshark to confirm).  In this case, Squid has no way to know what
name to stick in the cert, so will just use the IP instead.
> 2. The bumping is happening in step 1 instead of step 2 for some
reason.  See:  http://bugs.squid-cache.org/show_bug.cgi?id=4327
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWRIqmAAoJENNXIZxhPexGNGYIAIjJEGvbSa5WovjyrdzsBM+/
f3ucdM4x8e4CZtNxOhOoLlLOZdsG0vr6aiHDDOcKhPGL9wg0goQnvToaZguqtcDG
JcSLA3iwR/GI8RmTmmODsqDOyxLAVQx6JjWQKQIkYE5nvCOh7orSnh2oaUHqkG2P
0bxMI2NR6RB977rQPiZlN89yp1wdd0C99iBvEs6chifoTMrSQzKstEs31k8zt1Ae
ZTM/aEMnqXf0GiDbayXcPMYoQ6w9/fEpQ5wA/mCQSE4ZH71zPsChPqCcA2jp8gU5
VR4+ZQeLklSEiGweun8Yk1LAupTf7APRV+H2yX/m6ElXXkMMDFu5OM9plMQHFKo=
=LXF6
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151112/fa5fedf0/attachment.html>