[squid-users] SSL Bump in intercept mode

Alex Rousskov rousskov at measurement-factory.com
Wed Sep 23 15:04:57 UTC 2015


On 09/23/2015 12:16 AM, Степаненко Сергей wrote:

> My proxy certificate released by subca, i.e CA - SubCA - Proxy.

> OS - Centos6.7, squid - 3.5.7 from www1.ngtech.co.il repo


> ssl_bump stare all
> ssl_bump bump all
> ssl_bump splice all step3

Please note that the last "splice" rule will never match [in the latest
Squids]. Other than being misleading about your true intent, this should
not cause problems.

Apart from the pointless splice rule, this is the configuration variant
you should focus on if you want to bump everything.


> in this configuration browser write "Not check certificate chain"

Perhaps the browser lacks the SubCA certificate? Does Squid send that
intermediate certificate to the browser? You should be able to tell by
examining the browser-Squid SSL handshake in wireshark.


> ssl_bump bump all
> ssl_bump stare all
> ssl_bump splice all step3

Please note that the second and third rules will never match [in the
latest Squids].

Also, the above config variation is subject to Bug 4327 [in the latest
Squids]. It is not yet clear what the correct Squid behaviour should be
in this case. Avoid this configuration for now.

    http://bugs.squid-cache.org/show_bug.cgi?id=4327


> I'm get error "The security certificate presented by this website was
> issued for a different website's address", but certificate chain is
> trust, i.e I'm view chain CA - SubCA - Proxy - site ipaddr.

Possibly because of the problems discussed in comments 0-3 of the Bug
4327 report mentioned above. I do not know whether your Squid version is
affected because quite a few things have changed since it was released.


> ssl_bump server-first all

> All works. But not all sites.

I cannot fully explain this observation. In theory, this last config
should have similar effects to your first config, but should handle
fewer cases because the last config lacks SNI support.

I recommend that you try to reproduce the problems [with the first
config] using the latest v3.5 daily snapshot (or trunk):

  ssl_bump stare all
  ssl_bump bump all


Good luck,

Alex.



More information about the squid-users mailing list