[squid-users] infinite loop on using SSL to connect to squid with ssl-bump

[Alex Rousskov]

On 10/20/2014 04:22 PM, Jason Haar wrote:

> Both Chrome and Firefox support talking to proxies using SSL (wpad type
> "HTTPS" instead of "PROXY"). 

I did not know that support was added to major browsers. Any pointers to
the relevant configuration knobs? Can it be configured without WPAD?


> I'm trying to test that out against my
> ssl-bump enabled squid proxy and it's causing an infinite loop
> 
> Basically if I do something like
> 
> (sleep 2;echo -ne "GET http://slashdot.org/ HTTP/1.0\r\n\r\n"; sleep
> 4)|openssl  s_client -connect localhost:3129
> 
> against a squid-3.4.8 proxy set up with
> 
> https_port 3129 ssl-bump intercept


You are connecting directly to an interception port. I do not think that
is allowed. Interception assumes the client connection was intended for
a non-Squid address. When you break that assumption, you may get a loop.

If you remove SslBump and intercept options from https_port, then Squid
should be able to accept and decode the SSL connection, and receive a
plain GET request inside it.

Please note that I am not sure Squid can currently *bump* CONNECT
requests directed at https_port inside an SSL connection. It is
technically possible, but I am not sure we have the code to actually do
that. I suspect Squid may assume that there is at most one SSL wrapper
for a connection. Supporting multiple SSL layers while bumping the inner
CONNECT may need testing and possibly development.


HTH.

Alex.


> http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert 
> capath=/etc/ssl/certs/ generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL

> https_port 3129 ssl-bump intercept
> cert=/usr/local/squid/etc/squidCA.cert  capath=/etc/ssl/certs/ 
> generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL