[squid-users] transparent proxy https and self signed certificate error
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 5 05:44:37 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 5/10/2014 1:29 p.m., Robert Watson wrote:
> using squid 3.4.8, compiled from source with ./configure flags
> --enable-icap-client --enable-ssl --enable-ssl-crtd configured
> iptables for transparent proxy (redirect 80 to 3128) and everything
> works fine
>
> configured iptables for transparent proxy (redirect 443 to 3127)
> but can't get transparent proxy for https to work my squid.conf
> ... # Squid https port https_port 3127 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_cert/XXX.pem acl broken_sites dstdomain
> .example.com ssl_bump none localhost ssl_bump none broken_sites
> ssl_bump server-first all sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER sslcrtd_program
> /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
> sslcrtd_children 32 startup=5 idle=1
>
> when visiting google (or any other https site) chrome complains
> NET::ERR_CERT_AUTHORITY_INVALID I tried using internet explorer as
> admin and imported the self signed certificate but that hasn't
> helped
>
> can anyone please with how to debug this thanks, Robert
To debug you will need a packet capture with full packet bodies
(tcpdump -s 0) of the TCP connection between browser and Squid, and
the connection between Squid and server.
Wireshark should be able to decrypt the TLS/SSL handshakes to see what
differences or corruption is happening.
FYI: When testing be sure to clear/empty the ssl_crtd database if any
changes are made to CA keys.
PS. Google with Chrome appear these days to be the champions of
unbreakable TLS, their software is continually being updated to
use/invent new TLS features that close loopholes in TLS design which
allow ssl-bump to take place. What worked last month has no guarantee
of working today, same again next month.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUMNrEAAoJELJo5wb/XPRj7QAIAMVZ5SOc+X8vWlMdbgyNhNJR
k//TmLRMdwZ1qxFBHTF3t+I7JVua2b+DDp0fU6Ubq6WvoARNBQGPQdI0XfOtrnLQ
3lsBCkU8NZuXt2LeoKG6eNPaNyuhom7HeFzmwELgM4SuASxbO4mpBxET8Tg1XYwQ
VdSruqwx0hwhb5g4yeXWEIflkILc1A5cTAAbNGXIHpWbqMmwvnav5KWCfDhesHEU
CdxuyZJnUZwv/uRYSaiiYebUECTS/Zl8JkGvCXe5zheLwT2Wcor3urUXIK3gPToz
dy8FJ7lRGSSIJNkiQO4iNwI28vYkJHP2u3yFMFOdu4r/jN7WRgaY2LSpaQF+pqc=
=teuE
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list