[squid-users] SSLBump non-HTTPs connections

Peter Viskup skupko.sk at gmail.com
Thu Jun 2 06:33:32 UTC 2016

Hello all,
just wondering whether it is possible to perform SSLBump/SSLSplit for
non-HTTPs connections. At the moment we are interested in FTPs.
We are running Squid 3.4.2 version.

Configured the SSLBump and in that case not able to receive SSL Certificates

proxy:/etc/squid3# grep server-first squid.conf
ssl_bump server-first all
proxy:/etc/squid3# socat TCP-LISTEN:9999,reuseaddr,fork
proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts
140535877478056:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 308 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

With ssl_bump disabled for the particular destination domain we are
able to receive SSL Certificates:

proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft
Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/CN=www.ftpsservicedomain.net
Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2

In both cases the only log entry we see is the CONNECT request:
01/Jun/2016:10:16:23 +0200    681 TAG_NONE/200 0 CONNECT
www.ftpsservicedomain.net:990 - HIER_DIRECT/www.ftpsservicedomain.net
- [Host: www.ftpsservicedomain.net:990\r\n] [-]

Best regards,
Peter Viskup

More information about the squid-users mailing list