[squid-users] SSLBump just not working

Alex Rousskov rousskov at measurement-factory.com
Thu Aug 4 15:20:29 UTC 2016


On 08/03/2016 08:45 PM, JR Dalrymple wrote:

> To be brutally honest the whole concept is still a bit lost on me

[rant]Admitting one's limitations is often the most difficult first
step, but please do not stop here! Suggestions for where to go next: Ask
good questions, do not accept answers you do not fully understand,
provide excellent debugging info, and carefully update Squid wiki as you
master the concept. Repeat as needed.

IMHO, without solid SslBump understanding and providing good debugging,
you confine yourself to the endless copy-pasting of random config
snippets that usually do something you do not want and do not do
something you do want. Your ability to troubleshoot problems (and there
will be problems!) approaches zero in this case.

Most Squid-related concepts are easy and can be brute-forced by
trial-and-error. SslBump is different.[/rant]


> I'm still having issues I'm afraid - albeit different issues. My problem
> now reads a lot like this guys issue:
> https://www.mail-archive.com/misc@openbsd.org/msg144692.html

That email thread does not have enough info to know what the problem
really is and contains a seemingly bogus (or at least very poorly
detailed) solution. In other words, this is one of the many SslBump
threads you may be better off ignoring for now.


> My browser just times out and no
> auto-generated certificate is ever generated. 

> ssl_bump stare all
> ssl_bump bump all

Sounds like a good start to me, provided you _understand_ what these
rules do and why this simple configuration is equivalent to the more
complex one!


> I've
> turned off the debugging as I wasn't getting anything terribly useful
> out of it.

That's fine if you want folks to keep guessing what your problem is. If
you want more efficient help, use the latest Squid, isolate the problem
to a single HTTPS transaction, and share the corresponding ALL,9 log:

http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction


HTH,

Alex.



More information about the squid-users mailing list