[squid-users] Issues with TLS inspection- 3 Follow up question

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 29 12:45:11 UTC 2020 

On 29/01/20 4:32 pm, aashutosh kalyankar wrote:
> As suggested, I removed the settings for explicit proxy and have NAT
> move the HTTP/HTTPs request to squid intercept ports, and all the web
> traffic is now going through the proxy server (I see certs and
> connection requests in the cache log file).
> 
> I have a follow-up question. Any idea how do we accurately test to make
> sure if SSL bump is happening for a connection?

Use any tools that you like which can show the TLS server certificate
and CA certificate that signed it.
 * When 'bump' action takes place the certificate will be signed by the
CA cert you configured Squid to use.
 * When 'splice' action takes place the certificate will be its normal one.


> I have doubts as I was expecting, "Your connection is not Private" error
> when no CA cert on my browser.

That message does not mean what the hype claims. It is security theatre
by the Browser folks to force web developers to use TLS / HTTPS.


> CA cert or no CA cert in my cert-manager
> does not affect the connection.

*That* is a worry. You should at least see a difference between those
two cases.


> Also, I read in some articles that
> dropbox and apple app store will not work if SSL Bump is active, but it
> works for me without any issues.

That depends on device type and such details. Squid is also constantly
improving in these areas.


> I was able to verify that websites in the ssl::server_name acl whitelist
> do not use squid generated certs for connection, as expected.
> 
> Squid file:
>> acl localnet src 172.22.22.0/24 <http://172.22.22.0/24>
>> acl localnet src 172.16.10.0/24 <http://172.16.10.0/24>
>> acl localnet src 172.18.10.0/24 <http://172.18.10.0/24>
>> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>


acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

>> http_access allow localnet
>> http_access allow localhost
>>
>> http_access deny all


>> http_port 3129 intercept
>> https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_certs/myCA1.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> acl nobumpSites ssl::server_name "/etc/squid/whitelist.txt"
>>
>> ssl_bump peek step1 all

No need for that "all".

>> ssl_bump splice nobumpSites
>> ssl_bump stare step2
>> ssl_bump bump step3


Amos

More information about the squid-users mailing list