[squid-users] SSLBump just not working

[JR Dalrymple]

On Thu, Aug 4, 2016 at 10:20 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 08/03/2016 08:45 PM, JR Dalrymple wrote:
>
> > To be brutally honest the whole concept is still a bit lost on me
>
> [rant]Admitting one's limitations is often the most difficult first
> step, but please do not stop here! Suggestions for where to go next: Ask
> good questions, do not accept answers you do not fully understand,
> provide excellent debugging info, and carefully update Squid wiki as you
> master the concept. Repeat as needed.
>
> IMHO, without solid SslBump understanding and providing good debugging,
> you confine yourself to the endless copy-pasting of random config
> snippets that usually do something you do not want and do not do
> something you do want. Your ability to troubleshoot problems (and there
> will be problems!) approaches zero in this case.
>
> Most Squid-related concepts are easy and can be brute-forced by
> trial-and-error. SslBump is different.[/rant]
>
>
> > I'm still having issues I'm afraid - albeit different issues. My problem
> > now reads a lot like this guys issue:
> > https://www.mail-archive.com/misc@openbsd.org/msg144692.html
>
> That email thread does not have enough info to know what the problem
> really is and contains a seemingly bogus (or at least very poorly
> detailed) solution. In other words, this is one of the many SslBump
> threads you may be better off ignoring for now.
>
>
> > My browser just times out and no
> > auto-generated certificate is ever generated.
>
> > ssl_bump stare all
> > ssl_bump bump all
>
> Sounds like a good start to me, provided you _understand_ what these
> rules do and why this simple configuration is equivalent to the more
> complex one!
>
>
> > I've
> > turned off the debugging as I wasn't getting anything terribly useful
> > out of it.
>
> That's fine if you want folks to keep guessing what your problem is. If
> you want more efficient help, use the latest Squid, isolate the problem
> to a single HTTPS transaction, and share the corresponding ALL,9 log:
>
>
> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>
>
> HTH,
>
> Alex.
>
>
Thanks for the encouragement Alex,

I was doing single transaction debugging all along as this is currently
configured in a lab with a single client.

I've gotten it working at this point, but not due to diligent debugging I'm
afraid - more just a lucky shot in the dark. I reconfigured my system and
lab network to perform the bump on intercepted traffic. It *just works*. I
honestly don't care to backtrack and debug direct proxy requests as it
wasn't part of my planned end-state anyway.

For posterity's sake, here are the relevant parts of my working
configuration:

/etc/pf.conf:
pass in proto tcp to any port 80 divert-to 127.0.0.1 port 3128
pass in proto tcp to any port 443 divert-to 127.0.0.1 port 3129

squid.conf:
http_port 127.0.0.1:3128 intercept
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem

# /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--enable-icmp' '--enable-delay-pools'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-auth'
'--with-openssl' --enable-ltdl-convenience

# uname -a
OpenBSD router.example.local 5.9 GENERIC#1761 amd64

Thanks again for all your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160805/b0227f36/attachment-0001.html>