<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-mailStijl17
{mso-style-type:personal-compose;
font-family:"Arial",sans-serif;
color:black;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="NL" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">Due to all the documentation on the internet, we still do not have the answer to the question or whether we can use ssl_bump https traffic to intercept https traffic using
a <b>cache_peer.<o:p></o:p></b></span></p>
<p class="MsoNormal"><b><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">So our question is, can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).<o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">Config example:
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">http_port 10.**********:8080 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">http_port 127.0.0.1:8080 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
dynamic_cert_mem_cache_size=4MB<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">https_port 127.0.0.1:8081 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
dynamic_cert_mem_cache_size=4MB<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">sslcrtd_children 32 startup=5 idle=1<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">acl step1 at_step SslBump1<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">ssl_bump peek step1<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">cache_peer ************** parent 8080 0 no-query no-netdb-exchange no-digest name=*******<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">never_direct allow all<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">squid –v squid-3.5.20-2.el7.x86_64<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">kind regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN" style="font-family:"Arial",sans-serif;color:#222222">Sandro
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:NL"><o:p></o:p></span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="3"><br>
Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.<br>
</font>
</body>
</html>