[squid-users] SSLBump just not working

Amos Jeffries squid3 at treenet.co.nz
Wed Aug 3 03:53:15 UTC 2016 

On 2/08/2016 1:30 p.m., JR Dalrymple wrote:
> I have a freshly installed Squid from source on a likewise freshly
> installed OpenBSD system. Attempting to replace an aging stub Squid on
> Linux with transparent with SSLBump. I think I have everything set up
> pretty skookup, the symptom is it just isn't working. When I browse to an
> https website I get presented my root cert, but not a dynamically created
> cert underneath. It doesn't look like they're being created as the folder
> hierarchy that's supposed to contain the dynamic certs remains empty. Note
> that as of yet this is not in a transparent configuration - choosing to
> crawl before I walk. Here is some perhaps useful info from the system:
> 
<snip>

> ...
> 2016/08/01 16:54:54.370 kid1| 83,7| bio.cc(168) stateChanged: FD 12 now:
> 0x20 SSLOK  (SSL negotiation finished successfully)
> 2016/08/01 16:54:54.370 kid1| 83,7| bio.cc(168) stateChanged: FD 12 now:
> 0x2002 SSLOK  (SSL negotiation finished successfully)
> -----BEGIN SSL SESSION PARAMETERS-----
> -----END SSL SESSION PARAMETERS-----
> 2016/08/01 16:54:54.370 kid1| 83,2| client_side.cc(3809)
> clientNegotiateSSL: clientNegotiateSSL: New session 0x38985389200 on FD 12 (
> 172.22.19.48:65433)
> 2016/08/01 16:54:54.370 kid1| 83,3| client_side.cc(3813)
> clientNegotiateSSL: clientNegotiateSSL: FD 12 negotiated cipher AES128-SHA
> 2016/08/01 16:54:54.371 kid1| 83,5| client_side.cc(3829)
> clientNegotiateSSL: clientNegotiateSSL: FD 12 has no certificate.
> 2016/08/01 16:54:54.426 kid1| 85,5| client_side_request.cc(1438)
> sslBumpAccessCheck: cannot SslBump this request
> ...
> 
> # grep -v ^# /usr/local/squid/etc/squid.conf | grep -v ^[\s]*$

...
> ssl_bump bump all

ssl_bump gets processed in three stages.
#1 on client TCP connection,
#2 after TLS clientHello is received (using the config cert)
#3 after TLS serverHello is received (using a mimic cert)

As the cache.log indicates. The above casues 'bump' action to begin at
#1. The bump handshake is getting the clientHello details, so it can do
something but the Squid configured cert is used since there is no server
details available to generate anything from.

To do bumping with server certificate mimic you need the 'bump' action
to occur at #3.

Like:
 acl step1 at_step SslBump1
 acl step2 at_step SslBump2
 ssl_bump peek step1
 ssl_bump stare step2
 ssl_bump bump all

(or maybe stare and both non-3 steps. I'm not 100% certain there.).

...
> debug_options ALL,9
> 


ALL,9 is only needed if you have to trace exact I/O bytes for debugging.
Almost all useful info about transaction processing is logged at levels
1-6 if you are just interested in what its doing.


> # ls -lR /usr/local/squid/var/lib/
> total 4
> drwxr-xr-x  3 squid  wheel  512 Jul 23 18:38 ssl_db
> 
> /usr/local/squid/var/lib/ssl_db:
> total 8
> drwxr-xr-x  2 squid  wheel  512 Jul 23 18:38 certs
> -rw-r--r--  1 squid  wheel    0 Jul 23 18:38 index.txt
> -rw-r--r--  1 squid  wheel    1 Jul 23 18:38 size
> 

'r' permission for 'other' is usually not good, 640 permissions are
recommended even though these are fake certs in here. But YMMV.

Amos

More information about the squid-users mailing list