[squid-users] SSLBump non-HTTPs connections

Peter Viskup skupko.sk at gmail.com
Thu Jun 2 06:33:32 UTC 2016


Hello all,
just wondering whether it is possible to perform SSLBump/SSLSplit for
non-HTTPs connections. At the moment we are interested in FTPs.
We are running Squid 3.4.2 version.

Configured the SSLBump and in that case not able to receive SSL Certificates

proxy:/etc/squid3# grep server-first squid.conf
ssl_bump server-first all
proxy:/etc/squid3# socat TCP-LISTEN:9999,reuseaddr,fork
PROXY:127.0.0.1:www.ftpsservicedomain.net:990,proxyport=8080
proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts
CONNECTED(00000003)
140535877478056:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

With ssl_bump disabled for the particular destination domain we are
able to receive SSL Certificates:

proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts
CONNECTED(00000003)
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft
Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=www.ftpsservicedomain.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
-----BEGIN CERTIFICATE-----
MIIGQzCCBCugAwIBAgITWgAAuYCRJAQnIMZ1CwABAAC5gDANBgkqhkiG9w0BAQsF
....

In both cases the only log entry we see is the CONNECT request:
01/Jun/2016:10:16:23 +0200    681 127.0.0.1 TAG_NONE/200 0 CONNECT
www.ftpsservicedomain.net:990 - HIER_DIRECT/www.ftpsservicedomain.net
- [Host: www.ftpsservicedomain.net:990\r\n] [-]

Best regards,
-- 
Peter Viskup


More information about the squid-users mailing list