
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">

<HTML>

<HEAD>

  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">

  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">

</HEAD>

<BODY>

Config first:<BR>

<BR>

<TT>####################################################</TT><BR>

<TT>acl localnet src 192.168.1.0/24</TT><BR>

<BR>

<TT>acl SSL_ports port 443</TT><BR>

<TT>acl Safe_ports port 80</TT><BR>

<TT>acl Safe_ports port 443</TT><BR>

<BR>

<TT>acl CONNECT method CONNECT</TT><BR>

<BR>

<TT>acl step1 at_step SslBump1</TT><BR>

<TT>acl step2 at_step SslBump2</TT><BR>

<BR>

<TT>ssl_bump peek step1 all</TT><BR>

<TT>#https_server_names.txt has \.google\.com, \.yahoo\.com, \.msn\.com</TT><BR>

<TT>acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/https_server_names.txt"</TT><BR>

<BR>

<TT>http_access allow all</TT><BR>

<BR>

<TT>ssl_bump bump allowed_https_sites</TT><BR>

<TT>ssl_bump terminate !allowed_https_sites</TT><BR>

<BR>

<TT>sslproxy_cert_error allow all</TT><BR>

<TT>sslproxy_capath /etc/ssl/certs</TT><BR>

<TT>sslproxy_flags DONT_VERIFY_PEER </TT><BR>

<TT>sslproxy_options ALL</TT><BR>

<BR>

<TT>sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB</TT><BR>

<TT>sslcrtd_children 5</TT><BR>

<BR>

<TT>http_port 3128 intercept</TT><BR>

<TT>https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE</TT><BR>

<BR>

<TT>logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs %<st %Ss:%Sh %ssl::bump_mode </TT><BR>

<BR>

<TT>access_log syslog:daemon.info mine</TT><BR>

<BR>

<TT>refresh_pattern -i (cgi-bin|\?)       0       0%      0</TT><BR>

<TT>refresh_pattern .             0       20%     4320</TT><BR>

<BR>

<TT>coredump_dir /opt/var</TT><BR>

<TT>####################################################</TT><BR>

<BR>

<BR>

so the above works to bump and filter out (the order of these lines absolutely seemed to matter) if the site you go to isn't in the allowed_https_sites acl.  The sticking point is the http_access....the above will filter https based on the allowed_https_server_names.txt, but completely allows ALL http, so <B>this isn't complete yet.</B>  Below is going to a site in the allowed_https_sites acl:<BR>

<BR>

<TT>[08:59:44 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d <A HREF="https://www.msn.com">https://www.msn.com</A></TT><BR>

<TT>DEBUG output created by Wget 1.16 on linux-gnu.</TT><BR>

<BR>

<TT>URI encoding = ‘UTF-8’</TT><BR>

<TT>--2015-05-30 08:59:57--  <A HREF="https://www.msn.com/">https://www.msn.com/</A></TT><BR>

<TT>Certificates loaded: 173</TT><BR>

<TT>Resolving <A HREF="http://www.msn.com">www.msn.com</A> (<A HREF="http://www.msn.com">www.msn.com</A>)... 204.79.197.203</TT><BR>

<TT>Caching <A HREF="http://www.msn.com">www.msn.com</A> => 204.79.197.203</TT><BR>

<TT>Connecting to <A HREF="http://www.msn.com">www.msn.com</A> (<A HREF="http://www.msn.com">www.msn.com</A>)|204.79.197.203|:443... connected.</TT><BR>

<TT>Created socket 4.</TT><BR>

<TT>Releasing 0x10503f98 (new refcount 1).</TT><BR>

<BR>

<TT>---request begin---</TT><BR>

<TT>GET / HTTP/1.1</TT><BR>

<TT>User-Agent: Wget/1.16 (linux-gnu)</TT><BR>

<TT>Accept: */*</TT><BR>

<TT>Host: <A HREF="http://www.msn.com">www.msn.com</A></TT><BR>

<TT>Connection: Keep-Alive</TT><BR>

<BR>

<TT>---request end---</TT><BR>

<TT>HTTP request sent, awaiting response... </TT><BR>

<TT>---response begin---</TT><BR>

<TT>HTTP/1.1 200 OK</TT><BR>

<snip><BR>

<BR>

May 30 08:59:57 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:57 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" <A HREF="http://www.msn.com">www.msn.com</A> 200 0 TAG_NONE:ORIGINAL_DST peek<BR>

May 30 08:59:58 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:58 -0600] "GET <A HREF="https://www.msn.com/">https://www.msn.com/</A> HTTP/1.1" <A HREF="http://www.msn.com">www.msn.com</A> 200 38288 TCP_MISS:ORIGINAL_DST bump<BR>

<BR>

Going to a site not in the allowed_https_sites acl:<BR>

<BR>

<TT>[09:02:12 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d <A HREF="https://www.weather.com">https://www.weather.com</A></TT><BR>

<TT>DEBUG output created by Wget 1.16 on linux-gnu.</TT><BR>

<BR>

<TT>URI encoding = ‘UTF-8’</TT><BR>

<TT>--2015-05-30 09:04:57--  <A HREF="https://www.weather.com/">https://www.weather.com/</A></TT><BR>

<TT>Certificates loaded: 173</TT><BR>

<TT>Resolving <A HREF="http://www.weather.com">www.weather.com</A> (<A HREF="http://www.weather.com">www.weather.com</A>)... 96.17.8.161, 96.17.8.138, 96.17.8.178, ...</TT><BR>

<TT>Caching <A HREF="http://www.weather.com">www.weather.com</A> => 96.17.8.161 96.17.8.138 96.17.8.178 96.17.8.171</TT><BR>

<TT>Connecting to <A HREF="http://www.weather.com">www.weather.com</A> (<A HREF="http://www.weather.com">www.weather.com</A>)|96.17.8.161|:443... connected.</TT><BR>

<TT>Created socket 4.</TT><BR>

<TT>Releasing 0x1098c108 (new refcount 1).</TT><BR>

<TT>GnuTLS: The TLS connection was non-properly terminated.</TT><BR>

<TT>Closed fd 4</TT><BR>

<TT>Unable to establish SSL connection.</TT><BR>

<BR>

May 30 09:04:57 analysis squid: 192.168.1.73 - - [30/May/2015:09:04:57 -0600] "CONNECT 96.17.8.161:443 HTTP/1.1" www.weather.com 200 0 TAG_NONE:HIER_NONE peek<BR>

<BR>

However, changing http_access to http_access allow allowed_https_sites I get:<BR>

<BR>

<TT>[08:59:58 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d <A HREF="https://www.msn.com">https://www.msn.com</A></TT><BR>

<TT>DEBUG output created by Wget 1.16 on linux-gnu.</TT><BR>

<BR>

<TT>URI encoding = ‘UTF-8’</TT><BR>

<TT>--2015-05-30 09:02:12--  <A HREF="https://www.msn.com/">https://www.msn.com/</A></TT><BR>

<TT>Certificates loaded: 173</TT><BR>

<TT>Resolving <A HREF="http://www.msn.com">www.msn.com</A> (<A HREF="http://www.msn.com">www.msn.com</A>)... 204.79.197.203</TT><BR>

<TT>Caching <A HREF="http://www.msn.com">www.msn.com</A> => 204.79.197.203</TT><BR>

<TT>Connecting to <A HREF="http://www.msn.com">www.msn.com</A> (<A HREF="http://www.msn.com">www.msn.com</A>)|204.79.197.203|:443... connected.</TT><BR>

<TT>Created socket 4.</TT><BR>

<TT>Releasing 0x10515f98 (new refcount 1).</TT><BR>

<TT>The certificate's owner does not match hostname ‘<A HREF="http://www.msn.com">www.msn.com</A>’</TT><BR>

<BR>

May 30 09:02:12 analysis squid: 192.168.1.73 - - [30/May/2015:09:02:12 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0 TCP_DENIED:HIER_NONE peek<BR>

<BR>

Notice that peek did not get the SNI name per my %ssl::>sni in my logging statement.  So as of now I have been unable to figure out how to use access control with both http and https.  I can do one or the other, but not both so far.  Of interest, redirects from http to https do not appear to work<BR>

<BR>

<TT>[08:37:39 jlay@powerbook:~/test$ wget <A HREF="http://www.yahoo.com">www.yahoo.com</A></TT><BR>

<TT>--2015-05-30 08:37:44--  <A HREF="http://www.yahoo.com/">http://www.yahoo.com/</A></TT><BR>

<TT>Resolving <A HREF="http://www.yahoo.com">www.yahoo.com</A> (<A HREF="http://www.yahoo.com">www.yahoo.com</A>)... 206.190.36.45, 206.190.36.105, 2001:4998:c:a06::2:4008</TT><BR>

<TT>Connecting to <A HREF="http://www.yahoo.com">www.yahoo.com</A> (<A HREF="http://www.yahoo.com">www.yahoo.com</A>)|206.190.36.45|:80... connected.</TT><BR>

<TT>HTTP request sent, awaiting response... 301 Moved Permanently</TT><BR>

<TT>Location: <A HREF="https://www.yahoo.com/">https://www.yahoo.com/</A> [following]</TT><BR>

<TT>--2015-05-30 08:37:44--  <A HREF="https://www.yahoo.com/">https://www.yahoo.com/</A></TT><BR>

<TT>Connecting to <A HREF="http://www.yahoo.com">www.yahoo.com</A> (<A HREF="http://www.yahoo.com">www.yahoo.com</A>)|206.190.36.45|:443... connected.</TT><BR>

<TT>ERROR: The certificate of ‘<A HREF="http://www.yahoo.com">www.yahoo.com</A>’ is not trusted.</TT><BR>

<TT>ERROR: The certificate of ‘<A HREF="http://www.yahoo.com">www.yahoo.com</A>’ hasn't got a known issuer.</TT><BR>

<BR>

May 30 08:37:44 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:44 -0600] "GET <A HREF="http://www.yahoo.com/">http://www.yahoo.com/</A> HTTP/1.1" - 301 1812 TCP_MISS:ORIGINAL_DST -<BR>

May 30 08:37:45 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:45 -0600] "CONNECT 206.190.36.45:443 HTTP/1.1" <A HREF="http://www.yahoo.com">www.yahoo.com</A> 200 0 TAG_NONE:ORIGINAL_DST peek<BR>

<BR>

Whereas direct does:<BR>

<BR>

<TT>[08:37:45 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d <A HREF="https://www.yahoo.com">https://www.yahoo.com</A></TT><BR>

<TT>DEBUG output created by Wget 1.16 on linux-gnu.</TT><BR>

<BR>

<TT>URI encoding = ‘UTF-8’</TT><BR>

<TT>--2015-05-30 08:38:27--  <A HREF="https://www.yahoo.com/">https://www.yahoo.com/</A></TT><BR>

<TT>Certificates loaded: 173</TT><BR>

<TT>Resolving <A HREF="http://www.yahoo.com">www.yahoo.com</A> (<A HREF="http://www.yahoo.com">www.yahoo.com</A>)... 206.190.36.105, 206.190.36.45, 2001:4998:c:a06::2:4008</TT><BR>

<TT>Caching <A HREF="http://www.yahoo.com">www.yahoo.com</A> => 206.190.36.105 206.190.36.45 2001:4998:c:a06::2:4008</TT><BR>

<TT>Connecting to <A HREF="http://www.yahoo.com">www.yahoo.com</A> (<A HREF="http://www.yahoo.com">www.yahoo.com</A>)|206.190.36.105|:443... connected.</TT><BR>

<TT>Created socket 4.</TT><BR>

<TT>Releasing 0x107800d8 (new refcount 1).</TT><BR>

<BR>

<TT>---request begin---</TT><BR>

<TT>GET / HTTP/1.1</TT><BR>

<TT>User-Agent: Wget/1.16 (linux-gnu)</TT><BR>

<TT>Accept: */*</TT><BR>

<TT>Host: <A HREF="http://www.yahoo.com">www.yahoo.com</A></TT><BR>

<TT>Connection: Keep-Alive</TT><BR>

<BR>

<TT><snip></TT><BR>

<BR>

<TT>---response end---</TT><BR>

<TT>200 OK</TT><BR>

<TT>cdm: 1cdm: 1cdm: 1Registered socket 4 for persistent reuse.</TT><BR>

<TT>URI content encoding = ‘utf-8’</TT><BR>

<TT>Length: unspecified [text/html]</TT><BR>

<TT>Saving to: ‘index.html’</TT><BR>

<BR>

May 30 08:38:27 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:27 -0600] "CONNECT 206.190.36.105:443 HTTP/1.1" <A HREF="http://www.yahoo.com">www.yahoo.com</A> 200 0 TAG_NONE:ORIGINAL_DST peek<BR>

May 30 08:38:28 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:28 -0600] "GET <A HREF="https://www.yahoo.com/">https://www.yahoo.com/</A> HTTP/1.1" <A HREF="http://www.yahoo.com">www.yahoo.com</A> 200 325776 TCP_MISS:ORIGINAL_DST bump<BR>

<BR>

I'm getting close...Amos if you're out there maybe you can shed some light on the above.  Been at this for 5 hours now..happy Saturday!<BR>

<BR>

James

</BODY>

</HTML>