[squid-users] sslBump and intercept

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 13 00:47:02 UTC 2015 

On 13/11/2015 1:04 a.m., Steve Hill wrote:
> On 12/11/15 09:04, Eugene M. Zheganin wrote:
> 
>> I decided to intercept the HTTPS traffic on my production squids from
>> proxy-unware clients to be able to tell them there's a proxy and they
>> should configure one.
>> So I'm doing it like (the process of forwarding using FreeBSD pf is not
>> shown here):
>>
>> ===Cut===
>> acl unauthorized proxy_auth stringthatwillnevermatch
>> acl step1 at_step sslBump1
>>
>> https_port 127.0.0.1:3131 intercept ssl-bump
>> cert=/usr/local/etc/squid/certs/squid.cert.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> dhparams=/usr/local/etc/squid/certs/dhparam.pem
>> https_port [::1]:3131 intercept ssl-bump
>> cert=/usr/local/etc/squid/certs/squid.cert.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> dhparams=/usr/local/etc/squid/certs/dhparam.pem
>>
>> ssl_bump peek step1
>> ssl_bump bump unauthorized
>> ssl_bump splice all
>> ===Cut===
>>
>> Almost everything works, except that squid for some reason is generating
>> certificates in this case for IP addresses, not names, so the browser
>> shows a warning abount certificate being valid only for IP, and not name.
> 
> proxy_auth won't work on intercepted traffic and will therefore always
> return false, so as far as I can see you're always going to peek and
> then splice.  i.e. you're never going to bump, so squid should never be
> generating a forged certificate.
> 
> You say that Squid _is_ generating a forged certificate, so something
> else is going on to cause it to do that.  My first guess is that Squid
> is generating some kind of error page due to some http_access rules
> which you haven't listed, and is therefore bumping.
> 
> Two possibilities spring to mind for the certificate being for the IP
> address rather than for the name:
> 1. The browser isn't bothering to include an SNI in the SSL handshake
> (use wireshark to confirm).  In this case, Squid has no way to know what
> name to stick in the cert, so will just use the IP instead.
> 2. The bumping is happening in step 1 instead of step 2 for some reason.
>  See:  http://bugs.squid-cache.org/show_bug.cgi?id=4327
> 

Use "debug_options ALL,0 33,5" to see what the ssl_bump access checks
and related parts are doing.

Amos

More information about the squid-users mailing list