[squid-users] Squid 3.5.2 and Avast free anti-virus

Alan Palmer alanpalmer72 at yahoo.com
Mon Mar 2 12:29:08 UTC 2015 

Squid 3.5.2 intercept mode and Avast free antivirus 2015 on windows 7
aren't playing well together.  Chrome returns a ca invalid error, 
details reveal
its the avast web/mail shield cert that its not being trusted. 
Everything works if
I turn the webshield off, or on a very strange note, works fine on a 
Windows XP
(I know, old/bad, upgrade blah blah) machine also running avast 2015.  The
windows XP version does have a difference cert than the windows 7 version
however.  Avast seems to be doing a sslbump on its own between the client
and the squid proxy.  Does anyone else have a similar setup working, and 
if so
whats the magic incantation to make it play nice?

  squid -v
Squid Cache: Version 3.5.2
Service Name: squid
configure options:  '--disable-strict-error-checking' 
'--disable-arch-native' '--enable-shared' 
'--datadir=/usr/local/share/squid' 
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' 
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools' 
'--enable-follow-x-forwarded-for' '--enable-forw-via-db' 
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6' 
'--enable-referer-log' '--enable-removal-policies=lru heap' 
'--enable-ssl' '--with-openssl=/usr/local/ssl' '--enable-storeio=aufs 
ufs diskd' '--with-default-user=_squid' '--with-filedescriptors=8192' 
'--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' 
'--with-pthreads' '--with-swapdir=/var/squid/cache' 
'--disable-pf-transparent' '--enable-ipfw-transparent' 
'--enable-external-acl-helpers=LDAP_group SQL_session file_userip 
time_quota session  unix_group wbinfo_group LDAP_group 
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' 
'--mandir=/usr/local/man' '--infodir=/usr/local/info' 
'--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc' 
'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe' 
'--enable-ssl-crtd' '--enable-ltdl-convenience'

  uname -a
OpenBSD jarosz-fw 5.6 GENERIC.MP#299 i386

squid.conf
...
https_port [::1]:3127 intercept ssl-bump \

         generate-host-certificates=on \
         dynamic_cert_mem_cache_size=16MB \
         cert=/etc/squid/ssl_cert/Test2.pem
#
#       SSL intercept configuration
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /data/squid/ssl_db 
-M 16MB
sslcrtd_children 10
always_direct allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cafile /etc/ssl/ca-bundle.crt

https_port[127.0.0.1]:3127 same config lines as the IPv6 port.

More information about the squid-users mailing list