
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">

<HTML>

<HEAD>

  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">

  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">

</HEAD>

<BODY>

So I took the advice of those here to get explicit working first, so here's my first attempt.  My test environment is Ubuntu 15.04 Server as the squid server with virtualbox running on it with Kali linux as the client.  Here's my Squid 3.5.4 configure line:<BR>

<BR>

<TT>/configure --prefix=/opt --enable-icap-client --with-openssl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none</TT><BR>

<BR>

<BR>

<BR>

Full squid.conf:<BR>

#####################################<BR>

<TT>acl localnet src 192.168.1.0/24</TT><BR>

<BR>

<TT>acl SSL_ports port 443</TT><BR>

<TT>acl Safe_ports port 80</TT><BR>

<TT>acl Safe_ports port 443</TT><BR>

<BR>

<TT>acl CONNECT method CONNECT</TT><BR>

<BR>

<TT>http_access allow all</TT><BR>

<BR>

<TT>sslproxy_cert_error allow all</TT><BR>

<TT>sslproxy_cert_error deny all</TT><BR>

<TT>sslproxy_capath /etc/ssl/certs</TT><BR>

<TT>sslproxy_flags DONT_VERIFY_PEER </TT><BR>

<TT>sslproxy_options ALL</TT><BR>

<BR>

<TT>sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB</TT><BR>

<TT>sslcrtd_children 5</TT><BR>

<BR>

<TT>http_port 3129 ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE</TT><BR>

<BR>

<TT>external_acl_type sni ttl=30 concurrency=10 children-max=20 children-startup=5 %ssl::>sni /opt/etc/squid/bumphelper.py</TT><BR>

<BR>

<TT>acl sni_exclusions external sni</TT><BR>

<TT>acl tcp_level at_step SslBump1</TT><BR>

<TT>acl client_hello_peeked at_step SslBump2</TT><BR>

<BR>

<TT>ssl_bump peek tcp_level all</TT><BR>

<TT>ssl_bump splice client_hello_peeked sni_exclusions</TT><BR>

<TT>ssl_bump bump all</TT><BR>

<BR>

<TT>logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %ssl::bump_mode %ssl::>sni %ssl::>cert_subject</TT><BR>

<BR>

<TT>access_log syslog:daemon.info mine</TT><BR>

<BR>

<TT>refresh_pattern -i (cgi-bin|\?)       0       0%      0</TT><BR>

<TT>refresh_pattern .             0       20%     4320</TT><BR>

<BR>

<TT>coredump_dir /opt/var</TT><BR>

#####################################<BR>

<BR>

<BR>

bumphelper.py:<BR>

#####################################<BR>

<TT>#!/usr/bin/python</TT><BR>

<BR>

<TT>import sys</TT><BR>

<BR>

<TT>while True:</TT><BR>

<TT>    req = sys.stdin.readline()</TT><BR>

<BR>

<TT>    if not req:</TT><BR>

<TT>        break</TT><BR>

<BR>

<TT>    id, sni = req.split()</TT><BR>

<BR>

<TT>    sys.stderr.write('request %r\n' % req)</TT><BR>

<TT>    sys.stderr.flush()</TT><BR>

<BR>

<TT>    if sni == 'google.com':  # bypass</TT><BR>

<TT>        sys.stdout.write('{} OK\n'.format(id))</TT><BR>

<TT>        sys.stdout.flush()</TT><BR>

<TT>    else:</TT><BR>

<TT>        sys.stdout.write('{} ERR\n'.format(id))</TT><BR>

<TT>        sys.stdout.flush()</TT><BR>

#####################################<BR>

<BR>

The tests:<BR>

root@kali:~/test# wget -d <A HREF="https://www.google.com">https://www.google.com</A><BR>

######################################<BR>

<TT>DEBUG output created by Wget 1.13.4 on linux-gnu.</TT><BR>

<BR>

<TT>URI encoding = `UTF-8'</TT><BR>

<TT>URI encoding = `UTF-8'</TT><BR>

<TT>--2015-05-28 17:44:31--  <A HREF="https://www.google.com/">https://www.google.com/</A></TT><BR>

<TT>Connecting to 192.168.1.6:3129... connected.</TT><BR>

<TT>Created socket 4.</TT><BR>

<TT>Releasing 0x092c6730 (new refcount 0).</TT><BR>

<TT>Deleting unused 0x092c6730.</TT><BR>

<BR>

<TT>---request begin---</TT><BR>

<TT>CONNECT <A HREF="http://www.google.com:443">www.google.com:443</A> HTTP/1.1</TT><BR>

<TT>User-Agent: Wget/1.13.4 (linux-gnu)</TT><BR>

<BR>

<TT>---request end---</TT><BR>

<TT>proxy responded with: [HTTP/1.1 200 Connection established</TT><BR>

<BR>

<TT>]</TT><BR>

<BR>

<TT>---request begin---</TT><BR>

<TT>GET / HTTP/1.1</TT><BR>

<TT>User-Agent: Wget/1.13.4 (linux-gnu)</TT><BR>

<TT>Accept: */*</TT><BR>

<TT>Host: <A HREF="http://www.google.com">www.google.com</A></TT><BR>

<TT>Connection: Close</TT><BR>

<TT>Proxy-Connection: Keep-Alive</TT><BR>

<BR>

<TT>---request end---</TT><BR>

<TT>Proxy request sent, awaiting response... </TT><BR>

<TT>---response begin---</TT><BR>

<TT>HTTP/1.1 503 Service Unavailable</TT><BR>

<TT>Server: squid/3.5.4</TT><BR>

<TT>Mime-Version: 1.0</TT><BR>

<TT>Date: Thu, 28 May 2015 23:44:33 GMT</TT><BR>

<TT>Content-Type: text/html;charset=utf-8</TT><BR>

<TT>Content-Length: 3899</TT><BR>

<TT>X-Squid-Error: ERR_SECURE_CONNECT_FAIL 32</TT><BR>

<TT>Vary: Accept-Language</TT><BR>

<TT>Content-Language: en</TT><BR>

<TT>X-Cache: MISS from analysis</TT><BR>

<TT>Via: 1.1 analysis (squid/3.5.4)</TT><BR>

<TT>Connection: close</TT><BR>

<BR>

<TT>---response end---</TT><BR>

<TT>503 Service Unavailable</TT><BR>

<TT>URI content encoding = `utf-8'</TT><BR>

<TT>2015-05-28 17:44:32 ERROR 503: Service Unavailable.</TT><BR>

<TT>########################################</TT><BR>

<BR>

access.log entry for the above wget:<BR>

#####################################<BR>

<TT>May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] "CONNECT <A HREF="http://www.google.com:443">www.google.com:443</A> HTTP/1.1" 200 0 TAG_NONE:HIER_DIRECT peek <A HREF="http://www.google.com">www.google.com</A> -</TT><BR>

<TT>May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] "GET <A HREF="https://www.google.com/">https://www.google.com/</A> HTTP/1.1" 503 4242 TAG_NONE:HIER_NONE - <A HREF="http://www.google.com">www.google.com</A> -</TT><BR>

#####################################<BR>

<BR>

<BR>

<BR>

sudo /opt/sbin/squid -d 1 -N -f /opt/etc/squid/squid.conf<BR>

######################################<BR>

<TT>2015/05/28 17:44:33| Error negotiating SSL on FD 14: error:00000000:lib(0):func(0):reason(0) (5/-1/32)</TT><BR>

######################################<BR>

<BR>

<BR>

I see the same type of thing for apple.com and yahoo.com.  I'm assuming this is HSTS, but I could be wrong.  MSN however works fine with the above:<BR>

root@kali:~/test# wget -d <A HREF="https://www.msn.com">https://www.msn.com</A><BR>

######################################<BR>

<TT>DEBUG output created by Wget 1.13.4 on linux-gnu.</TT><BR>

<BR>

<TT>URI encoding = `UTF-8'</TT><BR>

<TT>URI encoding = `UTF-8'</TT><BR>

<TT>--2015-05-28 18:24:50--  <A HREF="https://www.msn.com/">https://www.msn.com/</A></TT><BR>

<TT>Connecting to 192.168.1.6:3129... connected.</TT><BR>

<TT>Created socket 4.</TT><BR>

<TT>Releasing 0x0a6493c0 (new refcount 0).</TT><BR>

<TT>Deleting unused 0x0a6493c0.</TT><BR>

<BR>

<TT>---request begin---</TT><BR>

<TT>CONNECT <A HREF="http://www.msn.com:443">www.msn.com:443</A> HTTP/1.1</TT><BR>

<TT>User-Agent: Wget/1.13.4 (linux-gnu)</TT><BR>

<BR>

<TT>---request end---</TT><BR>

<TT>proxy responded with: [HTTP/1.1 200 Connection established</TT><BR>

<BR>

<TT>]</TT><BR>

<BR>

<TT>---request begin---</TT><BR>

<TT>GET / HTTP/1.1</TT><BR>

<TT>User-Agent: Wget/1.13.4 (linux-gnu)</TT><BR>

<TT>Accept: */*</TT><BR>

<TT>Host: <A HREF="http://www.msn.com">www.msn.com</A></TT><BR>

<TT>Connection: Close</TT><BR>

<TT>Proxy-Connection: Keep-Alive</TT><BR>

<BR>

<TT>---request end---</TT><BR>

<TT>Proxy request sent, awaiting response... </TT><BR>

<TT>---response begin---</TT><BR>

<TT>HTTP/1.1 200 OK</TT><BR>

######################################<BR>

<TT>May 28 18:24:51 analysis squid: 192.168.1.91 - - [28/May/2015:18:24:51 -0600] "CONNECT <A HREF="http://www.msn.com:443">www.msn.com:443</A> HTTP/1.1" 200 0 TAG_NONE:HIER_DIRECT peek <A HREF="http://www.msn.com">www.msn.com</A> -</TT><BR>

<TT>May 28 18:24:52 analysis squid: 192.168.1.91 - - [28/May/2015:18:24:52 -0600] "GET <A HREF="https://www.msn.com/">https://www.msn.com/</A> HTTP/1.1" 200 38613 TCP_MISS:HIER_DIRECT bump <A HREF="http://www.msn.com">www.msn.com</A> -</TT><BR>

######################################<BR>

<BR>

I found that adding <TT>%ssl::bump_mode </TT>to logging sure helped out with where I was at in the steps.  I also tried the new acl ssl::server_name instead of using the external helper, but I got the same results with google, yahoo, and apple.  Even setting ssl_bump splice all didn't work well...it appears that yahoo, google, and apple are peek resistant.  I'll keep digging.  Thank you.<BR>

<BR>

James

</BODY>

</HTML>