[squid-users] infinite loop on using SSL to connect to squid with ssl-bump

Jason Haar Jason_Haar at trimble.com
Mon Oct 20 22:22:10 UTC 2014


Hi there

Both Chrome and Firefox support talking to proxies using SSL (wpad type
"HTTPS" instead of "PROXY"). I'm trying to test that out against my
ssl-bump enabled squid proxy and it's causing an infinite loop

Basically if I do something like

(sleep 2;echo -ne "GET http://slashdot.org/ HTTP/1.0\r\n\r\n"; sleep
4)|openssl  s_client -connect localhost:3129

against a squid-3.4.8 proxy set up with

http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
https_port 3129 ssl-bump intercept
cert=/usr/local/squid/etc/squidCA.cert  capath=/etc/ssl/certs/ 
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL

squid immediately hits 100% CPU and blocks until I kill it. I turned on
debugging (owch - almost had to power cycle to get out of that!) and
what was happening was squid was trying to ssl-bump the 127.0.0.1:3129
connection itself - ie infinite loop

The only difference between the HTTP and HTTPS ports are "intercept" -
but that's needed for https_port to even work. http_port works just fine

I bet I'm simply missing something, any suggestions?

Thanks!

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list