[squid-users] ssl_bump newbie troubles

Odhiambo Washington odhiambo at gmail.com
Wed Apr 20 14:16:07 UTC 2016 

Hi,

I am trying my hands on ssl_bump and it's almost working, but that's
ish-ish.. because I have several problems.

I even wonder if this config is correct:

*acl step1 at_step SslBump1*
*acl step2 at_step SslBump2*
*acl step3 at_step SslBump3*

*acl ssl_bump_broken_sites  dstdomain
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"*
*ssl_bump none ssl_bump_broken_sites*


*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump stare step2*
*ssl_bump bump all*

*sslproxy_capath /etc/ssl/certs*
*sslproxy_cert_error allow all*
*#sslproxy_cert_error deny all*
*sslproxy_flags DONT_VERIFY_PEER*
*sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt*


<cut>

The following error was encountered while trying to retrieve the URL:
https://org.ke.m-pesa.com/*

*Failed to establish a secure connection to 196.201.214.212*

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the remote
host does not support secure connections, or the proxy is not satisfied
with the host security credentials.

Your cache administrator is <odhiambo at gmail.com>
<%3codhiambo at gmail.com%3e?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20gw.crownkenya.com%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20(92)%20Protocol%20error%0D%0ATimeStamp%3A%20Wed,%2020%20Apr%202016%2013%3A22%3A02%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.54.63%0D%0AServerIP%3A%20196.201.214.212%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%20196.201.214.212%3A443%0D%0A%0D%0A%0D%0A>
.

</cut>



I thought I could mitigate that with the:

*acl ssl_bump_broken_sites  dstdomain
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"*
*ssl_bump none ssl_bump_broken_sites*

..but that doesn't do it...

Secondly, I had to import my CA to all devices (as a trusted CA) on the
network so that they don't get the MITM notification. This is a challenge,
because I have to do the same for smart phones too, and that is not easy.
People don't like intrusive changes. For example on Android phone, you have
to set screen security before you can import such a CA, and after you do,
you cannot disable the screen security! Now, that is not something people
want.

Another issue is that we allow guests who come in to the premises to use
our Wi-Fi (on a different SSID). Without them importing the CA, they get
the MITM notification and cannot browse. This is because they get assigned
IPs in the same subnet we use in the office.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160420/e340f55e/attachment.html>

More information about the squid-users mailing list