<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 3, 2016 at 9:14 AM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 08/02/2016 09:53 PM, Amos Jeffries wrote:<br>
<br>
> To do bumping with server certificate mimic you need the 'bump' action<br>
> to occur at #3.<br></blockquote><div><br></div><div>Thanks for the clarification. I probably read that 100 times in the documentation but it didn't really sink in until today how that all works. To be brutally honest the whole concept is still a bit lost on me, but I can make sense that you have to perform the SNI CONNECT bits before you can actually bump. My apologies for the earlier misunderstanding...</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
><br>
> Like:<br>
> acl step1 at_step SslBump1<br>
> acl step2 at_step SslBump2<br>
> ssl_bump peek step1<br>
> ssl_bump stare step2<br>
> ssl_bump bump all<br>
><br>
> (or maybe stare and both non-3 steps. I'm not 100% certain there.).<br>
<br>
<br>
Yes, all of the above can be polished and simplified to become just two<br>
lines:<br>
<br>
ssl_bump stare all<br>
ssl_bump bump all<br></blockquote><div><br></div><div>I'm still having issues I'm afraid - albeit different issues. My problem now reads a lot like this guys issue:</div><div><br></div><div><a href="https://www.mail-archive.com/misc@openbsd.org/msg144692.html">https://www.mail-archive.com/misc@openbsd.org/msg144692.html</a></div><div><br></div><div>I did however perform the step he did to rectify his issue and it's not having any effect for me I'm afraid. My browser just times out and no auto-generated certificate is ever generated. I've combed through a number of configurations on the Internet at this point and I'm not seeing how mine is terribly different from anyone else's who is having success. For the sake of completeness I'll post my configuration as it stands today:</div><div><br></div><div> # grep -v ^[\s]*$ /usr/local/squid/etc/squid.conf | grep -v ^#</div><div>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC1918 possible internal network</div><div>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a> # RFC1918 possible internal network</div><div>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC1918 possible internal network</div><div>acl localnet src fc00::/7 # RFC 4193 local private network range</div><div>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines</div><div>acl SSL_ports port 443</div><div>acl Safe_ports port 80 # http</div><div>acl Safe_ports port 21 # ftp</div><div>acl Safe_ports port 443 # https</div><div>acl Safe_ports port 70 # gopher</div><div>acl Safe_ports port 210 # wais</div><div>acl Safe_ports port 1025-65535 # unregistered ports</div><div>acl Safe_ports port 280 # http-mgmt</div><div>acl Safe_ports port 488 # gss-http</div><div>acl Safe_ports port 591 # filemaker</div><div>acl Safe_ports port 777 # multiling http</div><div>acl CONNECT method CONNECT</div><div>http_access deny !Safe_ports</div><div>http_access deny CONNECT !SSL_ports</div><div>http_access allow localhost manager</div><div>http_access deny manager</div><div>http_access allow localnet</div><div>http_access allow localhost</div><div>ssl_bump stare all</div><div>ssl_bump bump all</div><div>http_access deny all</div><div>http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/gzgtgCA.pem</div><div>cache_dir ufs /var/cache/squid 4000 16 256</div><div>coredump_dir /var/cache/squid</div><div>refresh_pattern ^ftp: 1440 20% 10080</div><div>refresh_pattern ^gopher: 1440 0% 1440</div><div>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</div><div>refresh_pattern . 0 20% 4320</div><div>sslproxy_cert_error allow all</div><div>sslproxy_flags DONT_VERIFY_PEER</div><div>sslproxy_cert_sign signTrusted</div><div>cache_effective_user squid</div><div>cache_effective_group squid</div><div>access_log daemon:/var/log/squid/access.log squid</div><div>cache_log /var/log/squid/cache.log</div><div>sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB</div><div>sslcrtd_children 10</div><div><br></div><div><br></div><div>I've tried various different combinations of ssl_bump directives including adding the step_1 and step_2 ACLs as suggested by Amos (verbatim), and additionally (again verbatim) the configuration outlined on the <a href="http://squid-cache.org">squid-cache.org</a> site, but at this point the only behavior I'm getting out of the system is that which I've described. I have also tried both peeking and staring, as I understand the use case for my environment stare would be most appropriate, however neither seem to be working for me at this point so it's moot. I've turned off the debugging as I wasn't getting anything terribly useful out of it. I could see CONNECTs to the https sites, and mentions that they qualified for stare or bump, but never did it seem to actually happen. If anyone has anything that I should grep for in debug logs to maybe help I'd be happy to oblige. Perhaps I should just abandon OpenBSD and move to a more common flavor of *nix - although I will miss PF.</div><div><br></div><div>Thanks for the help.</div><div> </div></div></div>