[squid-users] Can't get Squid configured properly

ingo janssen ingoogni at gmail.com
Wed Apr 10 14:42:40 UTC 2019 

My goal is to do some local modification through ICAP to websites before 
they hit my browser. The basics work, but then there is the SslBump.

Compiled and installed squid-4.6 on FreeBSD 12 in a jail with 
--with-openssl,  --enable-ssl-crtd amongst other options.

created certificates as per:
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Non encrypted sites work fine, no encripted site works:

"duckduckgo.com has a security policy called HTTP Strict Transport 
Security (HSTS), which means that Firefox can only connect to it 
securely. You can’t add an exception to visit this site."

with no advanced option to continue. Other sites give that option, but 
finally resulting in:

"
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /OU=GlobalSign 
Root CA - R2/O=GlobalSign/CN=GlobalSign
"

in the end all https sites directly or indirectly in that error. From 
what I read in various discussions after searching these errors 4.6 
should automatically download intermediate certificates.

Some guidance would be welcomed.

Config:
acl localnet src 192.168.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl ssl_exclude_domains ssl::server_name 
"/usr/local/etc/squid/ssl_excl_domains.conf"
ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump bump all

http_access deny !Safe_ports
http_access deny !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB tls-ce>
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s 
/var/squid/cache/ssl_db -M>
sslcrtd_children 5

cache deny all

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

TIA,

Ingo

More information about the squid-users mailing list