[squid-users] SSLBump just not working
JR Dalrymple
jr at jrssite.com
Tue Aug 2 01:30:11 UTC 2016
I have a freshly installed Squid from source on a likewise freshly
installed OpenBSD system. Attempting to replace an aging stub Squid on
Linux with transparent with SSLBump. I think I have everything set up
pretty skookup, the symptom is it just isn't working. When I browse to an
https website I get presented my root cert, but not a dynamically created
cert underneath. It doesn't look like they're being created as the folder
hierarchy that's supposed to contain the dynamic certs remains empty. Note
that as of yet this is not in a transparent configuration - choosing to
crawl before I walk. Here is some perhaps useful info from the system:
# uname -a
OpenBSD router.example.local 5.9 GENERIC#1761 amd64
# /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options: '--enable-icmp' '--enable-delay-pools'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-auth'
'--with-openssl' --enable-ltdl-convenience
# ps -waux | grep squid
squid 2604 10.9 1.4 17060 14840 ?? R 5:16PM 0:03.11 (squid-1)
(squid)
root 28389 0.0 0.2 10608 2548 ?? Ss 5:16PM 0:00.06
/usr/local/squid/sbin/squid
squid 17905 0.0 0.3 688 3496 ?? S 5:16PM 0:00.10
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid 21985 0.0 0.3 680 3460 ?? S 5:16PM 0:00.05
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid 20149 0.1 0.3 676 3468 ?? S 5:16PM 0:00.04
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid 8313 0.0 0.3 688 3488 ?? S 5:16PM 0:00.03
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid 11338 0.0 0.3 688 3488 ?? S 5:16PM 0:00.04
(ssl_crtd) -s /usr/local/squid/var/lib/ssl_db -M 4MB (ssl_crtd)
squid 23712 0.0 0.2 448 1580 ?? S 5:16PM 0:00.06
(logfile-daemon) /var/log/squid/access.log (log_file_daemon)
squid 20208 0.0 0.1 324 1448 ?? S 5:16PM 0:00.02 (unlinkd)
(unlinkd)
# grep -i ssl /var/log/squid/cache.log
...
2016/08/01 16:54:54.370 kid1| 83,7| bio.cc(168) stateChanged: FD 12 now:
0x20 SSLOK (SSL negotiation finished successfully)
2016/08/01 16:54:54.370 kid1| 83,7| bio.cc(168) stateChanged: FD 12 now:
0x2002 SSLOK (SSL negotiation finished successfully)
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
2016/08/01 16:54:54.370 kid1| 83,2| client_side.cc(3809)
clientNegotiateSSL: clientNegotiateSSL: New session 0x38985389200 on FD 12 (
172.22.19.48:65433)
2016/08/01 16:54:54.370 kid1| 83,3| client_side.cc(3813)
clientNegotiateSSL: clientNegotiateSSL: FD 12 negotiated cipher AES128-SHA
2016/08/01 16:54:54.371 kid1| 83,5| client_side.cc(3829)
clientNegotiateSSL: clientNegotiateSSL: FD 12 has no certificate.
2016/08/01 16:54:54.426 kid1| 85,5| client_side_request.cc(1438)
sslBumpAccessCheck: cannot SslBump this request
...
# grep -v ^# /usr/local/squid/etc/squid.conf | grep -v ^[\s]*$
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
ssl_bump bump all
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem
cache_dir ufs /var/cache/squid 4000 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 10
debug_options ALL,9
# ls -lR /usr/local/squid/var/lib/
total 4
drwxr-xr-x 3 squid wheel 512 Jul 23 18:38 ssl_db
/usr/local/squid/var/lib/ssl_db:
total 8
drwxr-xr-x 2 squid wheel 512 Jul 23 18:38 certs
-rw-r--r-- 1 squid wheel 0 Jul 23 18:38 index.txt
-rw-r--r-- 1 squid wheel 1 Jul 23 18:38 size
Any advice would be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160802/d84d641c/attachment-0001.html>
More information about the squid-users
mailing list