[squid-users] Squid SSL-bump - Not working - No errors

Mohammed al-jakry mohammedjk89 at gmail.com
Sun Apr 16 13:47:03 UTC 2017 

Dears,



I am setting the SSL-bump for squid 3.5 on CentOS 7, I already generated
ssl certificate with the below commands:



*OPENSSL=/usr/bin/openssl*

*SSLDIR=/etc/mydlp/ssl*

*mkdir -p $SSLDIR || exit 1*

*rm -rf $SSLDIR/**

*[ -e $SSLDIR/private.pem ] || $OPENSSL genrsa 4096 > $SSLDIR/private.pem*

*[ -e $SSLDIR/public.pem ] || (echo -e
"TR\nAnkara\nTechnopolis\nMyDLP\nMyDLP\n*\nsupport at mydlp.com
<nsupport at mydlp.com>\n"| $OPENSSL req -new -x509 -days 3650 -key
$SSLDIR/private.pem -out $SSLDIR/public.pem)*

*[ -e $SSLDIR/user.der ] || $OPENSSL x509 -in $SSLDIR/public.pem -outform
DER -out $SSLDIR/user.der*



In addition, below you can find snippet from squid.conf file:



http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem
cert=/etc/mydlp/ssl/public.pem

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
# Or may be deny all according to your company policy
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5



In addition, I added user.der file in the certificate authority for the
user machine. The problem that it’s not working. Moreover, Squid service
restart without any issues. Also, please find the attached result for the
squid configuration test.



Appreciate your assistant.



Mohammed M AlJakri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170416/8243f6f3/attachment.html>
-------------- next part --------------
[root at localhost ]# squid -k parse
2017/04/17 05:15:29| Startup: Initializing Authentication Schemes ...
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'basic'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'digest'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'negotiate'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'ntlm'
2017/04/17 05:15:29| Startup: Initialized Authentication.
2017/04/17 05:15:29| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2017/04/17 05:15:29| Processing: acl localnet src 192.168.10.0/24       # RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src 192.168.1.0/24        # RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2017/04/17 05:15:29| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2017/04/17 05:15:29| Processing: acl SSL_ports port 443
2017/04/17 05:15:29| Processing: acl Safe_ports port 80         # http
2017/04/17 05:15:29| Processing: acl Safe_ports port 21         # ftp
2017/04/17 05:15:29| Processing: acl Safe_ports port 443                # https
2017/04/17 05:15:29| Processing: acl Safe_ports port 70         # gopher
2017/04/17 05:15:29| Processing: acl Safe_ports port 210                # wais
2017/04/17 05:15:29| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2017/04/17 05:15:29| Processing: acl Safe_ports port 280                # http-mgmt
2017/04/17 05:15:29| Processing: acl Safe_ports port 488                # gss-http
2017/04/17 05:15:29| Processing: acl Safe_ports port 591                # filemaker
2017/04/17 05:15:29| Processing: acl Safe_ports port 777                # multiling http
2017/04/17 05:15:29| Processing: acl CONNECT method CONNECT
2017/04/17 05:15:29| Processing: http_access deny !Safe_ports
2017/04/17 05:15:29| Processing: http_access deny CONNECT !SSL_ports
2017/04/17 05:15:29| Processing: http_access allow localhost manager
2017/04/17 05:15:29| Processing: http_access deny manager
2017/04/17 05:15:29| Processing: http_access allow localnet
2017/04/17 05:15:29| Processing: http_access allow localhost
2017/04/17 05:15:29| Processing: http_access allow all
2017/04/17 05:15:29| Processing: http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem
2017/04/17 05:15:29| Processing: always_direct allow all
2017/04/17 05:15:29| Processing: ssl_bump allow all
2017/04/17 05:15:29| SECURITY NOTICE: auto-converting deprecated "ssl_bump allow <acl>" to "ssl_bump client-first <acl>" which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules.
2017/04/17 05:15:29| Processing: sslproxy_cert_error allow all
2017/04/17 05:15:29| Processing: sslproxy_flags DONT_VERIFY_PEER
2017/04/17 05:15:29| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
2017/04/17 05:15:29| Processing: sslcrtd_children 5
2017/04/17 05:15:29| Processing: coredump_dir /var/spool/squid
2017/04/17 05:15:29| Processing: refresh_pattern ^ftp:          1440    20%     10080
2017/04/17 05:15:29| Processing: refresh_pattern ^gopher:       1440    0%      1440
2017/04/17 05:15:29| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2017/04/17 05:15:29| Processing: refresh_pattern .              0       20%     4320
2017/04/17 05:15:29| Initializing https proxy context
2017/04/17 05:15:29| Initializing http_port [::]:3128 SSL context
2017/04/17 05:15:29| Using certificate in /etc/mydlp/ssl/public.pem

More information about the squid-users mailing list