[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

adam900710 adam900710 at gmail.com
Mon Jul 6 14:21:45 UTC 2015


2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> My own solution in conjunction with Tor + Privoxy looks like this (Note:
> for Squid 3.4.13):
>
> # Tor acl
> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>
> # SSL bump rules
> sslproxy_cert_error allow all
> ssl_bump none localhost
> ssl_bump none url_nobump
> ssl_bump none dst_nobump
> ssl_bump server-first net_bump
This seems to be old config directive.
New corresponding one shoud be "ssl_bump bump net_bump"

And, no "peek" one? Or that's the problem?

Thanks.
>
> # Privoxy+Tor access rules
> never_direct allow tor_url
> always_direct deny tor_url
> always_direct allow all
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> http_port 3127
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
> key=/usr/local/squid/etc/rootCA.key
I also tried such config.
With such "http_port" and "http_port intercept" with ssl-bump at last.
Although curl works under test, the certificate is not the fake one.
(Issuer is not my fake one)
So I consider the ssl-bump not working in that case.

I'd like to reply when I set it up later to test.

Thanks

> sslproxy_capath /etc/opt/csw/ssl/certs
> sslproxy_options NO_SSLv2 NO_SSLv3
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> Generally,
>
> works like charm.
>
> 06.07.15 15:22, adam900710 пишет:
>> Hi all,
>>
>> I tried to build a ssl bumping proxy with up level proxy, but client
>> failed to connect like the following.
>>
>> The error:
>> ---
>> $ curl https://www.google.co.jp -vvvv -k
>> * Rebuilt URL to: https://www.google.co.jp/
>> * Trying ::1...
>> * Connected to localhost (::1) port 3128 (#0)
>> * Establish HTTP proxy tunnel to www.google.co.jp:443
>>> CONNECT www.google.co.jp:443 HTTP/1.1
>>> Host: www.google.co.jp:443
>>> User-Agent: curl/7.43.0
>>> Proxy-Connection: Keep-Alive
>>>
>> < HTTP/1.1 200 Connection established
>> <
>> * Proxy replied OK to CONNECT request
>> * ALPN, offering http/1.1
>> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> * CAfile: /etc/ssl/certs/ca-certificates.crt
>> CApath: none
>> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * Unknown SSL protocol error in connection to www.google.co.jp:443
>> * Closing connection 0
>> curl: (35) Unknown SSL protocol error in connection to
> www.google.co.jp:443
>> ---
>>
>> My squid.conf:
>> ---
>> # default acls/configs are ignored
>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
>> never_direct allow all
>> ssl_bump peek all
>> ssl_bump bump all
>> http_port 3128 ssl-bump \
>> cert=/etc/squid/ssl/ca.crt \
>> key=/etc/squid/ssl/ca.key \
>> generate-host-certificates=on \
>> dynamic_cert_mem_cache_size=4MB
>> ---
>>
>> From the cache_peer port, someone may notice that I'm using privoxy.
>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
>> or I can't ever access some sites.
>>
>> Here is some of my experiments:
>> 1) Remove "never_direct"
>> Then ssl_bump works as expected, but all traffic doesn't goes through
>> the SOCKS5 proxy. So a lot of sites I can't access.
>>
>> 2) Use local 8118 proxy
>> That works fine without any problem, but SSL_dump is needed...
>> So just prove privoxy are working.
>>
>> Any clue?
>>
>> Thanks
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVmotBAAoJENNXIZxhPexG0PQIAJ0Cy3o/diVtZsCYPTZ5At8K
> RuP3wHjahKhXj3xZjLiE+QKWvfr1ehZNWSj4wHF616ciX2w23QbghqNIBbV7Awpl
> 7JrTIv3L2nR/19uWgmr2FnhCKf2gSeC9j9Za0aBPAv3PoPwkMNmLbdlwq3mG8pey
> 6Tk8Tsh8+BlfUYXNgO+x/05eyLx6k4ZRV7009E7U3akt5ye+d8vcYXSfwL8+O+ni
> JReTJ2CwXSakb+Olti+ZTJvJWxI49Szdc3FrAyh7cTe2Bgo8hDTyW9Pj5WNvINYG
> +LQZUqOBF/YWtvpXbVVWAcJxYyzTGJJE/1+TtfIFEDsULTe4G74wCqsPu5VanM0=
> =TEp1
> -----END PGP SIGNATURE-----
>


More information about the squid-users mailing list