[squid-users] Squid and SSLBump

Monah Baki monahbaki at gmail.com
Thu Nov 21 20:19:46 UTC 2019 

I added the following:

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

and it works now.

In my access.log:

172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT
static.xx.fbcdn.net:443" 200 4199 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64;
Trident/7.0; rv:11.0) like Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbcdn.net:443" 200
5431 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbsbx.com:443" 200
5439 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT
connect.facebook.net:443" 200 6085 "-" "Mozilla/5.0 (Windows NT 10.0;
WOW64; Trident/7.0; rv:11.0) like Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT www.cnn.com:443"
200 155123 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
like Gecko"


So since I am new to sslbump, what am I benefiting from this? Will I be
able to see unencrypted data?

Thanks


On Thu, Nov 21, 2019 at 1:18 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 11/21/19 9:25 AM, Monah Baki wrote:
>
> > The certs/keys are legit from my company.
>
> Is your signing certificate (i.e. wildcardcert.pem) a CA certificate? If
> not, then you cannot use it to sign other certificates. SslBump with
> dynamic certificate generation requires a CA certificate to sign the
> generated certificates.
>
> CA certificates have a "true" CA basic constraint:
>
>     $ openssl x509 -in wildcardcert.pem -noout -text | \
>       grep -A1 'Basic Constraints'
>                 X509v3 Basic Constraints:
>                    CA:TRUE
>
>
> If they are CA certificates, did you import them into the browser/OS
> trusted certificates store? In most environments, a browser will not. by
> default, trust a CA certificate that Squid can use to sign dynamically
> generated certificates.
>
> Alex.
>
>
> > My squid.conf is very simple since it's for proof of concept
> >
> > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>     # RFC1918 possible
> > internal network
> > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>  # RFC1918
> > possible internal network
> > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918
> > possible internal network
> > acl SSL_ports port 443
> > acl Safe_ports port 80          # http
> > acl Safe_ports port 21          # ftp
> > acl Safe_ports port 443         # https
> > acl Safe_ports port 70          # gopher
> > acl Safe_ports port 210         # wais
> > acl Safe_ports port 1025-65535  # unregistered ports
> > acl Safe_ports port 280         # http-mgmt
> > acl Safe_ports port 488         # gss-http
> > acl Safe_ports port 591         # filemaker
> > acl Safe_ports port 777         # multiling http
> > acl CONNECT method CONNECT
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost manager
> > http_access deny manager
> > http_access allow localnet
> > http_access allow localhost
> > http_access deny all
> >
> > # Squid normally listens to port 3128
> > http_port 172.16.84.242:3128 <http://172.16.84.242:3128> ssl-bump \
> >   cert=/etc/squid/certs/wildcardcert.pem \
> >   key=/etc/squid/certs/wildcardkey.pem \
> >   generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> > acl step1 at_step SSlBump1
> > ssl_bump peek step1
> > ssl_bump bump all
> > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M
> 16MB
> > sslcrtd_children 32 startup=5 idle=1
> >
> > cache_dir ufs /var/spool/squid 100 16 256
> > coredump_dir /var/spool/squid
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> > refresh_pattern .               0       20%     4320
> >
> > strip_query_terms off
> > # logformat squid %>a - %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru" %Hs
> > %st "%{Referer}>h" "%{User-agent}>h"
> > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A
> > %mt [%>h] [%<h]
> > access_log  /var/log/squid/access.log squid
> >
> >
> > Browsing http sites works fine, but I am having issues with https
> >
> > In my access.log I get:
> > 1574346211.538     30 172.16.84.241 TAG_NONE/200 0 CONNECT
> > www.cnn.com:443 <http://www.cnn.com:443> - HIER_DIRECT/www.cnn.com
> > <http://www.cnn.com> - [User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
> > Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 0\r\nDNT:
> > 1\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nHost:
> > www.cnn.com:443 <http://www.cnn.com:443>\r\n] [-]
> >
> >
> > In Internet explorer I get the following:
> >
> > Certificate Error: Navigation Blocked
> >
> >
> >   There is a problem with this website’s security certificate.
> >
> >
> >
> >
> >
> >
> >       The security certificate presented by this website is not secure.
> >
> >       Security certificate problems may indicate an attempt to fool you
> >       or intercept any data you send to the server.
> >
> >
> >
> >
> >     *We recommend that you close this webpage and do not continue to
> >     this website.*
> >
> >
> >     *
> >     *
> >
> >
> >     * *
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191121/ec9f9daf/attachment-0001.html>

More information about the squid-users mailing list