[squid-users] Squid and SSLBump

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 22 08:43:29 UTC 2019 

On 22/11/19 9:19 am, Monah Baki wrote:
> I added the following:
> 
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> 
> and it works now.
> 
> In my access.log:
> 
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT
> static.xx.fbcdn.net:443 <http://static.xx.fbcdn.net:443>" 200 4199 "-"
> "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbcdn.net:443
> <http://fbcdn.net:443>" 200 5431 "-" "Mozilla/5.0 (Windows NT 10.0;
> WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbsbx.com:443
> <http://fbsbx.com:443>" 200 5439 "-" "Mozilla/5.0 (Windows NT 10.0;
> WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT
> connect.facebook.net:443 <http://connect.facebook.net:443>" 200 6085 "-"
> "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT www.cnn.com:443
> <http://www.cnn.com:443>" 200 155123 "-" "Mozilla/5.0 (Windows NT 10.0;
> WOW64; Trident/7.0; rv:11.0) like Gecko"
> 
> 
> So since I am new to sslbump, what am I benefiting from this?

You are not benefiting. Problems the users ask you to track down with
TLS will now be hidden from your debugging attempts. Users TLS can now
be intercepted and the traffic replaced by anyone. You will not be shown
the signs of that happening since you told Squid to hide them.


> able to see unencrypted data?

No more than before. Its just that Squid will no longer attempt to
verify the certs are valid or report in logs etc about problems.
Basically your users traffic can now be intercepted by anybody, anywhere
along the Internet paths and replaced with other content - your Squid
will not report anything amiss.

Basically any TLS through your proxy is no longer secure.



In general you will always see sites having trouble with TLS. This is
normal, expected, and sometimes a *good* thing.

Change your focus to identifying *what* is failing for each site that
you want to work but fails. Sometimes it is a problem you can fix,
sometimes can be ignored (sslproxy_cert_error directive is for these).
But definitely decide what to do case-by-case instead of "allow all".


Amos

More information about the squid-users mailing list