[squid-users] (SQUID 4.11) SSl_bump Fails on IOS and Android devices

Allan Raymond Ignacio arignacio80 at gmail.com
Sun May 10 20:26:44 UTC 2020 

I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10 and
here is my configuration -


##### SQUID.CONF  SNAPSHOT (START) ######


# Manual connection on 3128

http_port 3128


# Standard intercept

http_port 3129 intercept


# intercept & bump SSL connections

https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid-ca-cert-key.pem
dhparams=/usr/local/etc/squid/certs/dhparam.pem


sslcrtd_children 5


tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE


acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG

acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT

on_unsupported_protocol tunnel foreignProtocol

on_unsupported_protocol tunnel serverTalksFirstProtocol

on_unsupported_protocol tunnel all


acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3


#acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"

acl noBumpSites ssl::server_name .app.seesaw.me .schoology.com .dropbox.com

ssl_bump peek step1 all

ssl_bump peek step2 noBumpSites

ssl_bump splice step3 noBumpSites

ssl_bump stare step2

ssl_bump bump step3


##### CONFIG SNAPSHOT (END) ######


I created the certificates by doing the following -


openssl dhparam -outform PEM -out dhparam.pem 2048


openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509
-extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem


cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem


chown proxy:proxy /etc/squid/ssl/dhparam.pem

chown proxy:proxy /etc/squid/ssl/squid-ca-key.pem


chmod 400 dhparam.pem

chmod 400 squid-ca-key.pem


/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB


chown -R proxy:proxy /etc/squid/ssl


chown -R proxy:proxy /var/spool/squid/ssl_db


openssl x509 -hash -fingerprint -noout -in
/etc/ssl/certs/ca-certificates.crt


### for my firewall, I issued this


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT

iptables -A INPUT -j ACCEPT -p tcp --dport 3128 -m comment --comment "squid
http proxy"

iptables -A INPUT -j ACCEPT -p tcp --dport 3129 -m comment --comment "squid
http proxy (intercept)"

iptables -A INPUT -j ACCEPT -p tcp --dport 3130 -m comment --comment "squid
https proxy (intercept"

iptables -t nat -A PREROUTING -m iprange --src-range
192.168.10.8-192.168.10.30 -p tcp --dport 80 -m comment --comment
"transparent http proxy" -j DNAT --to-destination 192.168.10.8:3129

iptables -t nat -A PREROUTING -m iprange --src-range
192.168.10.8-192.168.10.30 -p tcp --dport 443 -m comment --comment
"transparent https proxy" -j DNAT --to-destination 192.168.10.8:3130


### I can browse https on laptops BUT when I used IOS devices or android, I
get errors with this -


1589083941.053      1 192.168.10.15 NONE_ABORTED/200 0 CONNECT
157.240.18.35:443 - HIER_NONE/- -

1589083941.072      4 192.168.10.10 NONE_ABORTED/200 0 CONNECT
52.94.224.113:443 - HIER_NONE/- -

1589083941.205      5 192.168.10.10 NONE_ABORTED/200 0 CONNECT
52.94.224.113:443 - HIER_NONE/- -

1589083941.860     32 192.168.10.10 NONE_ABORTED/200 0 CONNECT
52.94.232.0:443 - HIER_NONE/- -

1589083941.862      4 192.168.10.10 NONE_ABORTED/200 0 CONNECT
54.239.27.116:443 - HIER_NONE/- -

1589083941.864     38 192.168.10.10 NONE_ABORTED/200 0 CONNECT
52.94.224.113:443 - HIER_NONE/- -

1589083941.983      5 192.168.10.10 NONE_ABORTED/200 0 CONNECT
52.94.224.113:443 - HIER_NONE/- -

1589083942.642     20 192.168.10.10 NONE_ABORTED/200 0 CONNECT
54.239.27.116:443 - HIER_NONE/- -

1589083942.645     48 192.168.10.10 NONE_ABORTED/200 0 CONNECT
52.94.224.113:443 - HIER_NONE/- -


What am I doing it wrong? I read everything about ssl bump, etc. with these
links

- https://wiki.squid-cache.org/Features/SslPeekAndSplice

- https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

-
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-6-Transparent-HTTP-amp-HTTPS-Proxy-td4687578.html


If anyone can point to me what's wrong with my squid.conf configuration or
can provide me with a working squid.conf for ssl_bump, I will be indebted
to you.


Thanks.



Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200510/3b85b4f0/attachment-0001.html>

More information about the squid-users mailing list