[squid-users] Squid 3.5.17 SSL-Bump Step1

Amos Jeffries squid3 at treenet.co.nz
Mon May 16 08:34:29 UTC 2016


On 16/05/2016 5:48 p.m., admin wrote:
> Hi!
> 
> Squid 3.5.17 with SSL, intercept.

Please upgrade to 3.5.19.

> 
> I use SSL-Bump only step1 that get SNI and terminate HTTPS sites by
> domain name. The certificate's is not replaced !

The certificate is never replaced. Though if you dont know how TLS works
and look at it only from the client perspective it can appear to be so.
The reality is you either have one TLS connection or two with different
certificates on each.

> 
> acl blocked_https ssl::server_name  "/etc/squid/urls/block-url"
> https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2
> connection-auth=off cert=/etc/squid/squidCA.pem
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump terminate blocked_https
> 
> It works.

Obviously not. There is no instruction what to do other than terminate.
Squid is left to other circumstances to decide what is needed...

> 
> But if I use
> 
> acl users_no_inet src "/etc/squid/ip-groups/no-inet"
> http_access deny users_no_inet

... you force bumping to happen in order to deliver the HTTP error message.

Try adding this rule above the peek (and the ACL line too):
  ssl_bump terminate users_no_inet


> 
> I see NET::ERR_CERT_AUTHORITY_INVALID in browser. I import my squid
> cert, but I see NET::ERR_CERT_COMMON_NAME_INVALID
> 
> Why in this case, the squid trying to replace the certificate?

There is no server connection or certificate in existence. So nothing
exists to be replaced.

What you are seeing is Squid using its own certificate to get a TLS
connection it can deliver the HTTP error message through.


Amos



More information about the squid-users mailing list