[squid-users] sslproxyflags DONT_VERIFY_PEER

Alex Rousskov rousskov at measurement-factory.com
Wed Aug 3 20:01:40 UTC 2016


On 08/03/2016 08:45 AM, Stanford Prescott wrote:

> ssl_bump none localhostgreen
> ssl_bump peek tls_s1_connect all
> ssl_bump splice tls_s2_client_hello tls_to_splice
> ssl_bump stare tls_s2_client_hello all
> ssl_bump bump tls_s3_server_hello all

AFAICT, the above is too complex. You can simplify it with:

  ssl_bump splice localhostgreen
  ssl_bump peek tls_s1_connect
  ssl_bump splice tls_to_splice
  ssl_bump stare all
  ssl_bump bump all

and, after polishing your ACLs a little, possibly even with:

  ssl_bump splice transactions_to_splice
  ssl_bump peek tls_s1_connect
  ssl_bump stare all
  ssl_bump bump all

where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
and tls_to_splice)".


As for your original question, I recommend figuring out why Squid cannot
verify the peer. For example, your setup might be missing fresh
certificates for some well-known Root CAs. I do not know a good way to
figure out why peer verification does not work, but analyzing cache.log
with high-enough debugging level should be doable, especially if you can
reproduce the problem using a single transaction:

http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction


HTH,

Alex.



More information about the squid-users mailing list