[squid-users] SSLBump just not working

JR Dalrymple jr at jrssite.com
Tue Aug 2 01:30:11 UTC 2016 

I have a freshly installed Squid from source on a likewise freshly
installed OpenBSD system. Attempting to replace an aging stub Squid on
Linux with transparent with SSLBump. I think I have everything set up
pretty skookup, the symptom is it just isn't working. When I browse to an
https website I get presented my root cert, but not a dynamically created
cert underneath. It doesn't look like they're being created as the folder
hierarchy that's supposed to contain the dynamic certs remains empty. Note
that as of yet this is not in a transparent configuration - choosing to
crawl before I walk. Here is some perhaps useful info from the system:

# uname -a
OpenBSD router.example.local 5.9 GENERIC#1761 amd64
# /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--enable-icmp' '--enable-delay-pools'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-auth'
'--with-openssl' --enable-ltdl-convenience

# ps -waux | grep squid
squid     2604 10.9  1.4 17060 14840 ??  R      5:16PM    0:03.11 (squid-1)
(squid)
root     28389  0.0  0.2 10608  2548 ??  Ss     5:16PM    0:00.06
/usr/local/squid/sbin/squid
squid    17905  0.0  0.3   688  3496 ??  S      5:16PM    0:00.10
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid    21985  0.0  0.3   680  3460 ??  S      5:16PM    0:00.05
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid    20149  0.1  0.3   676  3468 ??  S      5:16PM    0:00.04
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid     8313  0.0  0.3   688  3488 ??  S      5:16PM    0:00.03
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid    11338  0.0  0.3   688  3488 ??  S      5:16PM    0:00.04
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid    23712  0.0  0.2   448  1580 ??  S      5:16PM    0:00.06
(logfile-daemon) /var/log/squid/access.log (log_file_daemon)
squid    20208  0.0  0.1   324  1448 ??  S      5:16PM    0:00.02 (unlinkd)
(unlinkd)

# grep -i ssl /var/log/squid/cache.log
...
2016/08/01 16:54:54.370 kid1| 83,7| bio.cc(168) stateChanged: FD 12 now:
0x20 SSLOK  (SSL negotiation finished successfully)
2016/08/01 16:54:54.370 kid1| 83,7| bio.cc(168) stateChanged: FD 12 now:
0x2002 SSLOK  (SSL negotiation finished successfully)
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
2016/08/01 16:54:54.370 kid1| 83,2| client_side.cc(3809)
clientNegotiateSSL: clientNegotiateSSL: New session 0x38985389200 on FD 12 (
172.22.19.48:65433)
2016/08/01 16:54:54.370 kid1| 83,3| client_side.cc(3813)
clientNegotiateSSL: clientNegotiateSSL: FD 12 negotiated cipher AES128-SHA
2016/08/01 16:54:54.371 kid1| 83,5| client_side.cc(3829)
clientNegotiateSSL: clientNegotiateSSL: FD 12 has no certificate.
2016/08/01 16:54:54.426 kid1| 85,5| client_side_request.cc(1438)
sslBumpAccessCheck: cannot SslBump this request
...

# grep -v ^# /usr/local/squid/etc/squid.conf | grep -v ^[\s]*$
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
ssl_bump bump all
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem
cache_dir ufs /var/cache/squid 4000 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_effective_user squid
cache_effective_group squid
access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 10
debug_options ALL,9

# ls -lR /usr/local/squid/var/lib/
total 4
drwxr-xr-x  3 squid  wheel  512 Jul 23 18:38 ssl_db

/usr/local/squid/var/lib/ssl_db:
total 8
drwxr-xr-x  2 squid  wheel  512 Jul 23 18:38 certs
-rw-r--r--  1 squid  wheel    0 Jul 23 18:38 index.txt
-rw-r--r--  1 squid  wheel    1 Jul 23 18:38 size




Any advice would be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160802/d84d641c/attachment-0001.html>

More information about the squid-users mailing list