[squid-users] Trying to set up SSL cache

Amos Jeffries squid3 at treenet.co.nz
Fri Feb 25 11:16:30 UTC 2022 

On 24/02/22 15:26, Dave Blanchard wrote:
> Hello, I'm trying to configure Squid as a HTTPS cache on my local computer, using ssl-bump. I've got it working as a basic proxy, but the traffic seems to just be tunneling through and not being cached.

Do you actually get at least *2* (maybe 3) Squid access.log entries per 
client connection demonstrating that?


> My web browser shows the site's actual certificate, rather than the locally generated self-signed certificate, which I want it to see. I have followed every tutorial I can find and none of them are helpful in figuring out what the hell is going on here. Here is what my config file looks like:
> 
> [...]
> 
> http_port 3128 ssl-bump \
>                 generate-host-certificates=on \
>                 dynamic_cert_mem_cache_size=32MB \
>                 cert=/path/to/self-signed.pem \
>                 key=/path/to/self-signed.pem
> 
> sslcrtd_program /usr/libexec/security_file_certgen -s /path/to/ssl-database -M 32MB
> 
> ssl_bump peek all

Okay TLS handshake clientHello gets observed by Squid.

At this point you should see 2 CONNECT requests in access.log, first 
(step1) with raw-IP and second (step2) with the TLS SNI from this 
clientHello (if any, otherwise raw-IP again).


> ssl_bump bump all

... now (step3) everything gets decrypted.

At this point you should start seeing access.log entries with https:// 
URLs and the actual server name per the serverHello certificate.


> ssl_bump splice localhost
> 

The connection is already bump'ed. This rule can never be reached.


> [...]
> 
> Otherwise, it's pretty much just the default config. The only thing that seems to halfway work is removing the line:
> 
> http_access deny CONNECT !SSL_ports
> 
> and changing to:
> 
> http_access deny CONNECT
> 

This actively rejects *all* CONNECT messages. Including the one Squid 
uses internally for SSL-Bump step1.


> With that change, an older Chromium just hangs trying to load the page, saying "Processing request." On a WebKit-based browser, I get a Squid 'Access Denied' error page.

As expected with a "deny CONNECT" rule on a CONNECT request.

This is actually the best outcome right now. It means the SSL-Bump 
crypto part is working fine for at least this second client.

What you need to do next is figure out which of your other rules is 
causing things to go wrong when the HTTP message inside the TLS is received.

For example; whether it is actually *HTTP/1* messages arriving. Other 
things will revert back to tunneling (see 
<http://www.squid-cache.org/Doc/config/on_unsupported_protocol/>)


> Another WebKit browser complains about the certificate, but when I tell it to continue anyway, it gives the same 'Access Denied' page.
> A newer Chromium stops right away with an untrusted SSL certificate error, and the details look like it's getting the self-signed certificate, as expected.
> 

These clients do not trust the CA Squid is using as signing cert. That 
will need to be fixed to avoid the cert complaint, but does not 
otherwise make any difference to the main issue.


You could use these browsers to test if you don't mind the popup. But I 
recommend the one which already trusts Squids signing CA until you have 
the rest of the basics working.



There are a few things to be aware of while troubleshooting:

* not all TLS connections can be bump'ed. TLS is designed to prevent 
exactly the type of decrypt that bump does. If the client and server are 
using TLS properly bump *will* fail.


* Google are known to be rather pedantic about security. So having their 
software at either end of the TLS when testing is more likely to hit 
such non-decryptable TLS connections.


* Checking the test web service for TLS certificate pinning or DANE. 
Both of these lock the/some client into using the original server 
certificate and they will unavoidably reject the Squid signing CA.

* Check traffic from the web server for HTTPS-Transport-Security or 
Alt-Svc HTTP headers. Both of these can break SSL-Bump if they reach a 
client. What is worse they can force arbitrarily long cache times for 
the info they contain, causing breakage to extend across the whole 
period. Only a full client purge of state and never receiving the info 
again can via any protocol fix these.


Amos

More information about the squid-users mailing list