[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.
adam900710
adam900710 at gmail.com
Tue Jul 7 00:54:31 UTC 2015
Tried your config in my environment.
Although curl can get to the sites through privoxy, just like the log says:
------
1436230195.213 432 ::1 TCP_TUNNEL/200 4146 CONNECT
www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 -
------
But the certificate got is still the original one, not the fake one:
------
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc;
CN=www.google.com
* start date: 2015-06-18 08:52:56 GMT
* expire date: 2015-09-16 00:00:00 GMT
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
------
Does it works only in 3.4?
Anyway, I'll try to downgrade squid and try it again.
Thanks
2015-07-06 22:23 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I use 3.4 version. Yes, this is old directives.
>
> 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception
> environment.
>
> 06.07.15 20:21, adam900710 пишет:
>> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>>>
>> My own solution in conjunction with Tor + Privoxy looks like this (Note:
>> for Squid 3.4.13):
>>
>> # Tor acl
>> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>>
>> # SSL bump rules
>> sslproxy_cert_error allow all
>> ssl_bump none localhost
>> ssl_bump none url_nobump
>> ssl_bump none dst_nobump
>> ssl_bump server-first net_bump
>> > This seems to be old config directive.
>> > New corresponding one shoud be "ssl_bump bump net_bump"
>>
>> > And, no "peek" one? Or that's the problem?
>>
>> > Thanks.
>>
>> # Privoxy+Tor access rules
>> never_direct allow tor_url
>> always_direct deny tor_url
>> always_direct allow all
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # Local Privoxy is cache parent
>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>
>> cache_peer_access 127.0.0.1 allow tor_url
>> cache_peer_access 127.0.0.1 deny all
>>
>> http_port 3127
>> http_port 3128 intercept
>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
>> key=/usr/local/squid/etc/rootCA.key
>> > I also tried such config.
>> > With such "http_port" and "http_port intercept" with ssl-bump at last.
>> > Although curl works under test, the certificate is not the fake one.
>> > (Issuer is not my fake one)
>> > So I consider the ssl-bump not working in that case.
>>
>> > I'd like to reply when I set it up later to test.
>>
>> > Thanks
>>
>> sslproxy_capath /etc/opt/csw/ssl/certs
>> sslproxy_options NO_SSLv2 NO_SSLv3
>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M
>> 4MB
>>
>> Generally,
>>
>> works like charm.
>>
>> 06.07.15 15:22, adam900710 пишет:
>> >>> Hi all,
>> >>>
>> >>> I tried to build a ssl bumping proxy with up level proxy, but client
>> >>> failed to connect like the following.
>> >>>
>> >>> The error:
>> >>> ---
>> >>> $ curl https://www.google.co.jp -vvvv -k
>> >>> * Rebuilt URL to: https://www.google.co.jp/
>> >>> * Trying ::1...
>> >>> * Connected to localhost (::1) port 3128 (#0)
>> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443
>> >>>> CONNECT www.google.co.jp:443 HTTP/1.1
>> >>>> Host: www.google.co.jp:443
>> >>>> User-Agent: curl/7.43.0
>> >>>> Proxy-Connection: Keep-Alive
>> >>>>
>> >>> < HTTP/1.1 200 Connection established
>> >>> <
>> >>> * Proxy replied OK to CONNECT request
>> >>> * ALPN, offering http/1.1
>> >>> * Cipher selection:
>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> >>> * successfully set certificate verify locations:
>> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt
>> >>> CApath: none
>> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443
>> >>> * Closing connection 0
>> >>> curl: (35) Unknown SSL protocol error in connection to
>> www.google.co.jp:443
>> >>> ---
>> >>>
>> >>> My squid.conf:
>> >>> ---
>> >>> # default acls/configs are ignored
>> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
>> >>> never_direct allow all
>> >>> ssl_bump peek all
>> >>> ssl_bump bump all
>> >>> http_port 3128 ssl-bump \
>> >>> cert=/etc/squid/ssl/ca.crt \
>> >>> key=/etc/squid/ssl/ca.key \
>> >>> generate-host-certificates=on \
>> >>> dynamic_cert_mem_cache_size=4MB
>> >>> ---
>> >>>
>> >>> From the cache_peer port, someone may notice that I'm using privoxy.
>> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
>> >>> or I can't ever access some sites.
>> >>>
>> >>> Here is some of my experiments:
>> >>> 1) Remove "never_direct"
>> >>> Then ssl_bump works as expected, but all traffic doesn't goes through
>> >>> the SOCKS5 proxy. So a lot of sites I can't access.
>> >>>
>> >>> 2) Use local 8118 proxy
>> >>> That works fine without any problem, but SSL_dump is needed...
>> >>> So just prove privoxy are working.
>> >>>
>> >>> Any clue?
>> >>>
>> >>> Thanks
>> >>> _______________________________________________
>> >>> squid-users mailing list
>> >>> squid-users at lists.squid-cache.org
>> >>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ
> xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC
> xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0
> G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu
> Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh
> Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U=
> =Mt1T
> -----END PGP SIGNATURE-----
>
More information about the squid-users
mailing list