[squid-users] How to Configure Proxy Chaining with ssl-bump

Michael Chen michaelchen8176 at gmail.com
Fri Mar 20 13:13:03 UTC 2020

Hi Amos,
Thanks for your explanation.
Could you instruct me how to install squid v5 based on CentOS 7?
Based on url
CentOS seems not support squid v5.


Amos Jeffries <squid3 at treenet.co.nz> 於 2020年3月20日 週五 下午5:29寫道:

> On 20/03/20 8:27 pm, Michael Chen wrote:
> > Hi Amos,
> > May I know which function Squid v3.5.28 cannot do for my scenario?
> > Because Squid v3.5 still has command of cache_peer and ssl .....
> >
> TLS is a volatile environment, with many changes going on constantly.
> Squid-3 has been deprecated since 2018 and is far behind in support
> needed for current TLS practices.
> Especially when bumping you should always have the latest Squid version.
> This first bit can be tested with Squid-3. It is just about getting a
> secure connection to the peer, any Squid should be able to do that.
> Ensure that the peer proxy is delivering its CA *chain* properly.
>  * All the intermediates should be supplied during the server handshake.
>  * cache_peer should only need the root CA for that chain. Configured in
> the sslca= or tls-ca= option.
> At this point your Squid should be able to pass traffic to the peer.
> Test that with regular http:// URL requests to your Squid. *Not* HTTPS
> or bumped traffic.
> You can test this following with Squid-3, but do not expect it to work
> very well. Squid-4 is better in a lot of cases, but still not completely.
> Your ssl_bump rules should peek at the client cert, then stare at the
> server cert, then bump the crypto. Like so:
>  ssl_bump peek  step1
>  ssl_bump stare all
>  ssl_bump bump  all
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200320/1ec16094/attachment.html>

More information about the squid-users mailing list