[squid-users] Looking for assistance with setting up a TLS proxy

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 7 21:47:42 UTC 2017


On 08/09/17 07:28, Rohit Sodhia wrote:
> Greetings,
> 
> I'm a backend dev who's been suddenly assigned a task to create a squid 
> proxy to intercept cURL/wget requests. We've got old servers that don't 
> support TLS 1.2 and some of the services we use will be requiring it 
> soon, so the decision was made to route cURL and wget requests through a 
> pair of squid servers. Unfortunately, I'm not a sysop (or even really 
> knowledgeable in this area) and am having some trouble, hoping someone 
> wouldn't mind helping me out.
> 
> I've been through the squid documentation and been playing around with 
> the examples on the squid site, including finding one for creating an 
> interception proxy. However, if I'm correct, for squid to be able to 
> upgrade the TLS requests from their current 1.0 to 1.2, squid would need 
> to decrypt the incoming request, then reencrypt it?

Yes. The TLS messaging needs replacing to negotiate TLS/1.0 variants of 
things, and often the server cert itself needs replacing entirely due to 
TLS/1.1+ extension bits inside it.


> I'm hoping someone 
> out there may be willing to help point me in the right direction; I've 
> been given a tight deadline, and both learning about the technologies 
> and find an effective solution is straining.
> 
> Thank you,
> 

The feature details for Squid TLS interception capabilities is 
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>

The more you know about TLS messaging the easier it is to grasp what 
Squid is doing. But the basics as covered on that pages' second section 
should be sufficient to use the feature.

Some things that might trip you up:

* the "stare" and "splice" actions we normally advise using cannot be 
used when translating TLS versions. They deliver the client TLS version 
(at least) on messages to the server.

* bump at step1 (maybe step2) will do exactly what you need. This 
emulates the client-first bumping action which is documented as "causes 
a lot of problems" mostly in terms of adding major TLS vulnerabilities 
to the whole system - so minimize use as much as possible.

* TLS SNI and similar extensions are generally not sent by TLS/1.0 
clients. Which makes it difficult to tell what service is being 
requested, and thus to do that above minimization.


HTH
Amos


More information about the squid-users mailing list