[squid-users] sslproxyflags DONT_VERIFY_PEER

Stanford Prescott stan.prescott at gmail.com
Wed Aug 3 21:12:45 UTC 2016


Thanks for the info, Alex. That's very helpful about cleaning up my ACLs.
Those ACLs are a collection of ACLs that others have suggested I use, but
it would be nice to make them less confusing for me.

With my limited understanding of how sslbump works, the idea for squid to
play MITM is that a self-signed cert like squidCA.der is imported to a
browser's root CAs. I have left a copy of the self-signed cert named
squidCA.pem in the squid's cert directory which only works if squid is told
to not verify the peer. When following the instructions how to generate the
self-signed cert with openssl, the .pem file must be converted to a .der
file for the browser to accept it. It just dawned on me that, could this be
related to the fact that the squid self-signed certs are not named the same?

On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>
> > ssl_bump none localhostgreen
> > ssl_bump peek tls_s1_connect all
> > ssl_bump splice tls_s2_client_hello tls_to_splice
> > ssl_bump stare tls_s2_client_hello all
> > ssl_bump bump tls_s3_server_hello all
>
> AFAICT, the above is too complex. You can simplify it with:
>
>   ssl_bump splice localhostgreen
>   ssl_bump peek tls_s1_connect
>   ssl_bump splice tls_to_splice
>   ssl_bump stare all
>   ssl_bump bump all
>
> and, after polishing your ACLs a little, possibly even with:
>
>   ssl_bump splice transactions_to_splice
>   ssl_bump peek tls_s1_connect
>   ssl_bump stare all
>   ssl_bump bump all
>
> where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
> and tls_to_splice)".
>
>
> As for your original question, I recommend figuring out why Squid cannot
> verify the peer. For example, your setup might be missing fresh
> certificates for some well-known Root CAs. I do not know a good way to
> figure out why peer verification does not work, but analyzing cache.log
> with high-enough debugging level should be doable, especially if you can
> reproduce the problem using a single transaction:
>
>
> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>
>
> HTH,
>
> Alex.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160803/6380c63e/attachment.html>


More information about the squid-users mailing list