[squid-users] SSLBump just not working

JR Dalrymple jr at jrssite.com
Thu Aug 4 02:45:56 UTC 2016 

On Wed, Aug 3, 2016 at 9:14 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 08/02/2016 09:53 PM, Amos Jeffries wrote:
>
> > To do bumping with server certificate mimic you need the 'bump' action
> > to occur at #3.
>

Thanks for the clarification. I probably read that 100 times in the
documentation but it didn't really sink in until today how that all works.
To be brutally honest the whole concept is still a bit lost on me, but I
can make sense that you have to perform the SNI CONNECT bits before you can
actually bump. My apologies for the earlier misunderstanding...


> >
> > Like:
> >  acl step1 at_step SslBump1
> >  acl step2 at_step SslBump2
> >  ssl_bump peek step1
> >  ssl_bump stare step2
> >  ssl_bump bump all
> >
> > (or maybe stare and both non-3 steps. I'm not 100% certain there.).
>
>
> Yes, all of the above can be polished and simplified to become just two
> lines:
>
>   ssl_bump stare all
>   ssl_bump bump all
>

I'm still having issues I'm afraid - albeit different issues. My problem
now reads a lot like this guys issue:

https://www.mail-archive.com/misc@openbsd.org/msg144692.html

I did however perform the step he did to rectify his issue and it's not
having any effect for me I'm afraid. My browser just times out and no
auto-generated certificate is ever generated. I've combed through a number
of configurations on the Internet at this point and I'm not seeing how mine
is terribly different from anyone else's who is having success. For the
sake of completeness I'll post my configuration as it stands today:

 # grep -v ^[\s]*$ /usr/local/squid/etc/squid.conf | grep -v ^#
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
ssl_bump stare all
ssl_bump bump all
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/gzgtgCA.pem
cache_dir ufs /var/cache/squid 4000 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_sign signTrusted
cache_effective_user squid
cache_effective_group squid
access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 10


I've tried various different combinations of ssl_bump directives including
adding the step_1 and step_2 ACLs as suggested by Amos (verbatim), and
additionally (again verbatim) the configuration outlined on the
squid-cache.org site, but at this point the only behavior I'm getting out
of the system is that which I've described. I have also tried both peeking
and staring, as I understand the use case for my environment stare would be
most appropriate, however neither seem to be working for me at this point
so it's moot. I've turned off the debugging as I wasn't getting anything
terribly useful out of it. I could see CONNECTs to the https sites, and
mentions that they qualified for stare or bump, but never did it seem to
actually happen. If anyone has anything that I should grep for in debug
logs to maybe help I'd be happy to oblige. Perhaps I should just abandon
OpenBSD and move to a more common flavor of *nix - although I will miss PF.

Thanks for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160804/a2577649/attachment.html>

More information about the squid-users mailing list