[squid-users] How to Configure Proxy Chaining with ssl-bump

[Michael Chen]

Hi,
I would like to proxy chaining squid to parent proxy on the cloud, Netskope
proxy.
First of all, I configure http_port 3128 ssl-bump, without proxy chaining
to parent proxy. And it works fine. However, my next step to add cache_peer
to parent proxy with Netskope certificates loaded. It failed and shows
sslv3 certificate unknown.
Below are my configuration and test results:

The first Test without proxy chaining to Netskope (just ssl-bump on squid
proxy): normally access internet
My config:
*http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA9.pem
key=/etc/squid/ssl_cert/myCA9.pem generate-host-certification=on
dynamic_cert_mem_cache_size=4MB*

*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump bump all*

Cache.log:

[image: image.png]
  normally access https://translate.google.com

The second test is squid proxy chaining to Netskope (with ssl  enabled):
Result is failed to access internet (HTTP/HTTPS)
My config: (where I put Netskope intermediate & root certs on
/etc/squid/ssl_cert/)
*http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA9.pem
key=/etc/squid/ssl_cert/myCA9.pem generate-host-certification=on
dynamic_cert_mem_cache_size=4MB*

*cache_peer pxc-sasesg-tpe.eu.goskope.com
<http://pxc-sasesg-tpe.eu.goskope.com/> parent 8080 0 no-query default ssl
sslpath=/etc/squid/ssl_cert/
sslcafile=/etc/squid/ssl_cert/cacert-2020-01-01.pem login=PASSTHRU
ssloptions=NO_SSLv2 sslflags=DONT_VERIFY_DOMAIN*

*never_direct allow all*

*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump bump all*

Cache.log once squid restart, It shows “ sslv3 alert certificate unknown”
[image: image.png]

CANNOT access https://translate.google.com

Do you see anything wrong?
BR,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200320/9b3dbceb/attachment.html>