[squid-users] ssl_bump newbie troubles

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 20 15:51:42 UTC 2016 

On 21/04/2016 2:16 a.m., Odhiambo Washington wrote:
> Hi,
> 
> I am trying my hands on ssl_bump and it's almost working, but that's
> ish-ish.. because I have several problems.
> 
> I even wonder if this config is correct:
> 
> *acl step1 at_step SslBump1*
> *acl step2 at_step SslBump2*
> *acl step3 at_step SslBump3*
> 
> *acl ssl_bump_broken_sites  dstdomain
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"*
> *ssl_bump none ssl_bump_broken_sites*
> 

There is no HTTP message URL in TLS, so dstdomain does not work in
ssl_bump. Use ACL type "ssl::server_name" instead.

Also, the legacy action "none" is not compatible with peek/stare
actions. Use "splice" instead.

> 
> *acl step1 at_step SslBump1*
> *ssl_bump peek step1*
> *ssl_bump stare step2*
> *ssl_bump bump all*
> 
> *sslproxy_capath /etc/ssl/certs*
> *sslproxy_cert_error allow all*
> *#sslproxy_cert_error deny all*
> *sslproxy_flags DONT_VERIFY_PEER*

You should test with verification and errors enabled. That way you get
told by Squid what the problems are. This way things just get ignored
and then maybe TLS "mysteriously" dies.

> *sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt*
> 
> 
> <cut>
> 
> The following error was encountered while trying to retrieve the URL:
> https://org.ke.m-pesa.com/*
> 
> *Failed to establish a secure connection to 196.201.214.212*
> 
> The system returned:
> 
> (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> 
> Handshake with SSL server failed: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> 
> This proxy and the remote host failed to negotiate a mutually acceptable
> security settings for handling your request. It is possible that the remote
> host does not support secure connections, or the proxy is not satisfied
> with the host security credentials.
> 
> 
> </cut>
> 
> 
> 
> I thought I could mitigate that with the:
> 
> *acl ssl_bump_broken_sites  dstdomain
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"*
> *ssl_bump none ssl_bump_broken_sites*
> 
> ..but that doesn't do it...

What you seem to have intended (splice) might work.

The message seem pretty clear. Squid was unable to validate the
certificate of that origin server.


> 
> Secondly, I had to import my CA to all devices (as a trusted CA) on the
> network so that they don't get the MITM notification. This is a challenge,
> because I have to do the same for smart phones too, and that is not easy.
> People don't like intrusive changes. For example on Android phone, you have
> to set screen security before you can import such a CA, and after you do,
> you cannot disable the screen security! Now, that is not something people
> want.

That import is mandatory for "bump" action to work without SSL/TLS warnings.

If you only use peek and splice actions then Squid is not touching the
crypto and it is not needed.

Amos

More information about the squid-users mailing list