[squid-users] Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 14 13:32:43 UTC 2017 

On 15/04/2017 1:17 a.m., Mohammed al-jakry wrote:
> 
> 
> 
> Dears, 
> 
> Thanks for adding me to the list…
> 
> 
> I would like to install squid proxy with SSL bump, I am working on my Virtual lab and once everything is ok I will Test it on the real network. I already created I directory for the cert and generated the cert as below:
> #Generate Private Key
> openssl genrsa -out MSY.com.private 2048  
> 
> # Create Certificate Signing Request
> openssl req -new -key MSY.com.private -out MSY.com.csr
> 
> # Sign Certificate
> openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out 
> MSY.com.cert
> # Generate certificate cache
> /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
> # Change ownership of the certificate cache
> chown squid: /var/lib/ssl_db
> then I fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:
> # Squid listen Port
> http_port 3128  
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/MSY.com.private cert=/etc/squid/MSY.com.cert  
> # SSL Bump Config
> always_direct allow all  
> ssl_bump server-first all  

> sslproxy_cert_error deny all  
> sslproxy_flags DONT_VERIFY_PEER  

The above two lines are actively dangerous.


NOTE that "Just for testing" is not a good excuse either. They actively
hide TLS problems, testing will "work fine" and production use of the
same config fail with horrible results - or worse; production "work
perfectly" and the horrible results happening invisibly anyway.

When testing, let Squid tell you about errors. Resolve them in other
ways (ie properly) and then you wont need these setting in production
use either. :-)


> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 
> and it’s not working with SSL bump configuration, it work only when I remove the ssl bump configuration but for sure without ssl certificate.
> also i check the journalctl -xe and found the below error:
> /etc/squid/squid.conf:3 unrecognized: 'ssl-bump'
> any ideas ?

Either the line(s) you mentioned above:

> http_port 3128
> ssl-bump generate-host-certificates=on ...

are actually two lines in your config file instead of an email line
wrapping mistake.

Or, the squid binary being run is not built with OpenSSL support.


Probably the former, but what is the output of the command "squid -v"
anyway ?


Amos

More information about the squid-users mailing list