[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.
Amos Jeffries
squid3 at treenet.co.nz
Thu Nov 5 08:18:42 UTC 2015
On 5/11/2015 7:44 p.m., maple wrote:
> hi Amos,
>
> what did you exactly refer to for "These particular use-case issue"?
SSL-bump for port 443 intercepted directly by the proxy doing the bumping.
https_port X intercept ssl-bump ...
If there is an upstream proxy relaying to this one (eg proxychains) it
still will not work.
> it
> means in 3.5+, cache_peer can be used with ssl_bump together smoothly? or It
> resolves the integration problem between squid and proxychains?
>
> anyway, I have already upgraded my squid to 3.5.9, but neither for
> cache_peer used with ssl_bump nor squid with proxychains works.
>
> for cache_peer used with ssl_bump:
> http_access allow all
> http_port 3128 intercept
> https_port 3129 cert=/etc/squid/ssl_cert/squid.crt
> key=/etc/squid/ssl_cert/private.key ssl-bump intercept
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> ssl_bump peek all
> ssl_bump bump all
> cache_peer 127.0.0.1 parent 12345 0 no-query no-digest default
> never_direct allow all
>
> for squid with proxychians:
> http_access allow all
> http_port 3128 intercept
> https_port 3129 cert=/etc/squid/ssl_cert/squid.crt
> key=/etc/squid/ssl_cert/private.key ssl-bump intercept
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> ssl_bump peek all
> ssl_bump bump all
> always_direct allow all
>
> proxychains4 -f proxychains.conf squid -f /etc/squid/squid.conf
>
> for proxychians + squid, it looks like proxychians still can chain squid
> with my parent proxy up.
>
> anything I did wrong?
If proxychains is sending to this proxy explicitly then it is an
explicit-proxy link. There should be no need to involve NAT.
Amos
More information about the squid-users
mailing list