[squid-users] SSLBump non-HTTPs connections
Peter Viskup
skupko.sk at gmail.com
Thu Jun 2 06:33:32 UTC 2016
Hello all,
just wondering whether it is possible to perform SSLBump/SSLSplit for
non-HTTPs connections. At the moment we are interested in FTPs.
We are running Squid 3.4.2 version.
Configured the SSLBump and in that case not able to receive SSL Certificates
proxy:/etc/squid3# grep server-first squid.conf
ssl_bump server-first all
proxy:/etc/squid3# socat TCP-LISTEN:9999,reuseaddr,fork
PROXY:127.0.0.1:www.ftpsservicedomain.net:990,proxyport=8080
proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts
CONNECTED(00000003)
140535877478056:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
With ssl_bump disabled for the particular destination domain we are
able to receive SSL Certificates:
proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts
CONNECTED(00000003)
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft
Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=www.ftpsservicedomain.net
i:/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
-----BEGIN CERTIFICATE-----
MIIGQzCCBCugAwIBAgITWgAAuYCRJAQnIMZ1CwABAAC5gDANBgkqhkiG9w0BAQsF
....
In both cases the only log entry we see is the CONNECT request:
01/Jun/2016:10:16:23 +0200 681 127.0.0.1 TAG_NONE/200 0 CONNECT
www.ftpsservicedomain.net:990 - HIER_DIRECT/www.ftpsservicedomain.net
- [Host: www.ftpsservicedomain.net:990\r\n] [-]
Best regards,
--
Peter Viskup
More information about the squid-users
mailing list