[squid-users] SSL Bump in intercept mode
Степаненко Сергей
sstepanenko at rsbank.ru
Wed Sep 23 06:16:01 UTC 2015
Hi all!
Please help me with ssl bump configuration in interception mode.
I'm have this config
...
https_port 192.168.113.19:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/sq
uid/proxy02_chain.crt key=/etc/squid/proxy02.key
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump stare all
ssl_bump bump all
ssl_bump splice all step3
...
My proxy certificate released by subca, i.e CA - SubCA - Proxy.
On my workstations CA cert add in trusted CA store, but in this configuration browser write "Not check certificate chain"
If i'm change conf to
...
ssl_bump bump all
ssl_bump stare all
ssl_bump splice all step3
...
I'm get error "The security certificate presented by this website was issued for a different website's address", but certificate chain is trust, i.e I'm view chain CA - SubCA - Proxy - site ipaddr.
Also if I'm change conf to
...
https_port 192.168.113.19:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/sq
uid/proxy02_chain.crt key=/etc/squid/proxy02.key
ssl_bump server-first all
...
All works. But not all sites.
OS - Centos6.7, squid - 3.5.7 from www1.ngtech.co.il repo
PS
Sorry for bad English.
More information about the squid-users
mailing list