[squid-users] Squid and SSL Bump
Antony Stone
Antony.Stone at squid.open.source.it
Tue Jan 9 21:27:57 UTC 2018
On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:
> I try configure squid 3.5 on CentOS 7 with sslBump.
>
> But I have some problems, the first:
>
> Some HTTPs sites can access, because squid say what I am are not
> authenticated. And other sites, yes I can access.
Please give us information:
1. An example of sites can you access.
2. An example of sites can you not access.
3. For problems, show us error messages - quote us what the remote sites tell
you.
4. Please rephrase "squid say what I am are not authenticated" - this is not
clear - what do you mean?
> I am authenticated.
To what? Squid, or the remote site?
How do you know you are authenticated - what confirmation do you have?
> Fragment of my squid.conf.
>
> http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
> options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
> /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
> NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1
> ssl_bump bump all
> authenticate_ip_ttl 60 seconds
That looks a bit strange (and a bit incomplete) to me, but since I'm no expert
on SSL interception, I'll let someone else step in here.
If you can provide more information in the meantime (eg: enough to help
someone else replicate your problem) that would be good.
Antony.
--
Wanted: telepath. You know where to apply.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list