[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

maple maple.feng.wang at hotmail.com
Sun Nov 8 13:40:09 UTC 2015


hi Amos,

first of all, thanks very much for your specified answer. and about your
questions:
1) are you the sysadmin for that network? 
there are actually three networks involved: internal net(I'm fully in charge
of this) <--->lab network(jump server located, I'm using it to set up ssh
tunnel from office, I'm just a user in this net) <---> office network(http
proxy located, I'm just a user)
2) and why is there a full separation like that? 
as I said above, lab network is almost completely separated from others,
only provide a jump server which allow office network to access with ssh, so
if i want my internal net located in lab to access internet, the only way is
to use ssh tunnel to visit http proxy in office range. this is the reason I
set up like this, I may contact sysadmin to give some way to access internet
from lab directly which can bypass the ssh tunnel way, but upstream proxy is
necessary for policy reason.

I went through solution suggested by you, just confirm in case I don't
understand it in right way:

client <---https---> second squid <---proxychains---> first squid <---ssh
tunnel---> http proxy <--http/https--> internet

for first squid("configured with a cache_peer using an IP:port, and also
using the "ssl" option):
http_port 3128 intercept
cache_peer 127.0.0.1 parent 12345 0 no-query no-digest default
never_direct allow all 
sslproxy_flags DONT_VERIFY_PEER

I'm not sure what's exact "ssl"option, but it should not be ssl_bump, right?
it's appreciated if you can specify it.

for second squid(have a https_port to receive the traffic. No special mode
flags are needed here):
https_port 3129 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squid.crt
key=/etc/squid/ssl_cert/private.key 
ssl_bump peek all 
ssl_bump bump all 
always_direct allow all 

I'm not setting "intercept for https_port" since you said no special mode
flags are needed

for proxychains:
strict_chain 
[ProxyList] 
http  first_squid 3128

proxychains second_squid -f conf_file

that's aligned with what you suggest? thanks again for your great support.

best regards.







--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-with-cache-peer-problem-Handshake-fail-after-Client-Hello-tp4672064p4674435.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list