[squid-users] How to configure https_port ssl-bump ?
Amos Jeffries
squid3 at treenet.co.nz
Tue Nov 21 03:25:26 UTC 2017
On 21/11/17 14:31, 赵 俊 wrote:
> Hello,I configured https_port in squid.conf . However when I access
> https websites using Firefox,it shows "Your connection is not secure" .
>
> The error like this:
> www.amazon.com <http://www.amazon.com> used an invalid security
> certificate.
> This certificate is valid for 23.13.186.212 only.
> Error code: SSL_ERROR_BAD_CERT_DOMAIN
>
> My CA produced by openssl is a Self-signed certificate.
>
There are two poitns of brokenness here.
Firstly, has your Firefox been configured with the DER certificate of
that CA so that it trusts your CA?
Without that Firefox will not trust *any* certs generated by your Squid.
> Here is my squid.conf:
>
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem
>
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
>
> ssl_bump bump all
>
Secondly, the above configures Squid to auto-generate the server
certificate with zero details from the real server AND zero details from
the client TLS handshake.
All Squid has to work with at that point is the raw-IP which the client
used to connect the TCP connection underneath everything. So of course
that is what the cert will be bound to.
Have you read this page to learn the bare basics about what is going on?
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>
I know the page looks long, but that is the minimal details you need to
know about TLS and the Squid SSL-Bump features.
Amos
More information about the squid-users
mailing list