[squid-users] Squid and SSLBump
Alex Rousskov
rousskov at measurement-factory.com
Thu Nov 21 18:18:18 UTC 2019
On 11/21/19 9:25 AM, Monah Baki wrote:
> The certs/keys are legit from my company.
Is your signing certificate (i.e. wildcardcert.pem) a CA certificate? If
not, then you cannot use it to sign other certificates. SslBump with
dynamic certificate generation requires a CA certificate to sign the
generated certificates.
CA certificates have a "true" CA basic constraint:
$ openssl x509 -in wildcardcert.pem -noout -text | \
grep -A1 'Basic Constraints'
X509v3 Basic Constraints:
CA:TRUE
If they are CA certificates, did you import them into the browser/OS
trusted certificates store? In most environments, a browser will not. by
default, trust a CA certificate that Squid can use to sign dynamically
generated certificates.
Alex.
> My squid.conf is very simple since it's for proof of concept
>
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> # RFC1918 possible
> internal network
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> # RFC1918
> possible internal network
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918
> possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 172.16.84.242:3128 <http://172.16.84.242:3128> ssl-bump \
> cert=/etc/squid/certs/wildcardcert.pem \
> key=/etc/squid/certs/wildcardkey.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> acl step1 at_step SSlBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 16MB
> sslcrtd_children 32 startup=5 idle=1
>
> cache_dir ufs /var/spool/squid 100 16 256
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> strip_query_terms off
> # logformat squid %>a - %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru" %Hs
> %st "%{Referer}>h" "%{User-agent}>h"
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A
> %mt [%>h] [%<h]
> access_log /var/log/squid/access.log squid
>
>
> Browsing http sites works fine, but I am having issues with https
>
> In my access.log I get:
> 1574346211.538 30 172.16.84.241 TAG_NONE/200 0 CONNECT
> www.cnn.com:443 <http://www.cnn.com:443> - HIER_DIRECT/www.cnn.com
> <http://www.cnn.com> - [User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
> Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 0\r\nDNT:
> 1\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nHost:
> www.cnn.com:443 <http://www.cnn.com:443>\r\n] [-]
>
>
> In Internet explorer I get the following:
>
> Certificate Error: Navigation Blocked
>
>
> There is a problem with this website’s security certificate.
>
>
>
>
>
>
> The security certificate presented by this website is not secure.
>
> Security certificate problems may indicate an attempt to fool you
> or intercept any data you send to the server.
>
>
>
>
> *We recommend that you close this webpage and do not continue to
> this website.*
>
>
> *
> *
>
>
> * *
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list