[squid-users] infinite loop on using SSL to connect to squid with ssl-bump
Jason Haar
Jason_Haar at trimble.com
Mon Oct 20 22:22:10 UTC 2014
Hi there
Both Chrome and Firefox support talking to proxies using SSL (wpad type
"HTTPS" instead of "PROXY"). I'm trying to test that out against my
ssl-bump enabled squid proxy and it's causing an infinite loop
Basically if I do something like
(sleep 2;echo -ne "GET http://slashdot.org/ HTTP/1.0\r\n\r\n"; sleep
4)|openssl s_client -connect localhost:3129
against a squid-3.4.8 proxy set up with
http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
https_port 3129 ssl-bump intercept
cert=/usr/local/squid/etc/squidCA.cert capath=/etc/ssl/certs/
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL
squid immediately hits 100% CPU and blocks until I kill it. I turned on
debugging (owch - almost had to power cycle to get out of that!) and
what was happening was squid was trying to ssl-bump the 127.0.0.1:3129
connection itself - ie infinite loop
The only difference between the HTTP and HTTPS ports are "intercept" -
but that's needed for https_port to even work. http_port works just fine
I bet I'm simply missing something, any suggestions?
Thanks!
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list