[squid-users] Squid and SSL Bump

Antony Stone Antony.Stone at squid.open.source.it
Tue Jan 9 21:27:57 UTC 2018

On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:

> I try configure squid 3.5 on CentOS 7 with sslBump.
> But I have some problems, the first:
> Some HTTPs sites can access, because squid say what I am are not
> authenticated. And other sites, yes I can access.

Please give us information:

1. An example of sites can you access.

2. An example of sites can you not access.

3. For problems, show us error messages - quote us what the remote sites tell 

4. Please rephrase "squid say what I am are not authenticated" - this is not 
clear - what do you mean?

> I am authenticated.

To what?  Squid, or the remote site?

How do you know you are authenticated - what confirmation do you have?

> Fragment of my squid.conf.
> http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
> options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
> /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1
> ssl_bump bump all
> authenticate_ip_ttl 60 seconds

That looks a bit strange (and a bit incomplete) to me, but since I'm no expert 
on SSL interception, I'll let someone else step in here.

If you can provide more information in the meantime (eg: enough to help 
someone else replicate your problem) that would be good.


Wanted: telepath.   You know where to apply.

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list