[squid-users] sslBump and intercept

Eugene M. Zheganin emz at norma.perm.ru
Thu Nov 12 13:22:03 UTC 2015


Hi.

On 12.11.2015 17:04, Steve Hill wrote:
>
> proxy_auth won't work on intercepted traffic and will therefore always
> return false, so as far as I can see you're always going to peek and
> then splice.  i.e. you're never going to bump, so squid should never
> be generating a forged certificate.
Yup, I know that, and my fault is that I forgot to mention it, and to
explain that this sample config contains parts that handle user
authentication. So, yes, I'm aware that intercepted SSL traffic will
look to squid like anonymous, and that's the idea.
>
> You say that Squid _is_ generating a forged certificate, so something
> else is going on to cause it to do that.  My first guess is that Squid
> is generating some kind of error page due to some http_access rules
> which you haven't listed, and is therefore bumping.
This is exactly what's happening.
>
> Two possibilities spring to mind for the certificate being for the IP
> address rather than for the name:
> 1. The browser isn't bothering to include an SNI in the SSL handshake
> (use wireshark to confirm).  In this case, Squid has no way to know
> what name to stick in the cert, so will just use the IP instead.
> 2. The bumping is happening in step 1 instead of step 2 for some
> reason.  See:  http://bugs.squid-cache.org/show_bug.cgi?id=4327
Thanks, I'll try to investigate.

Eugene.


More information about the squid-users mailing list