[squid-users] SSL Bump Issue

Ali Jawad alijawad1 at gmail.com
Thu Mar 3 22:57:49 UTC 2016 

Hi
I am using Squid

[root at kgoDcyTx9 squid]# /squid/sbin/squid  -v

Squid Cache: Version 3.4.9

configure options:  '--prefix=/squid' '--includedir=/squid/usr/include'
'--enable-ssl-crtd' '--datadir=/squid/usr/share' '--bindir=/squid/usr/sbin'
'--libexecdir=/squid/usr/lib/squid' '--localstatedir=/squid/var'
'--sysconfdir=/squid/etc/squid' '--enable-arp-acl'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log'
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
'--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log'
'--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=64000' '--with-dl' '--with-openssl'
'--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
'--enable-ltdl-convenience' '--disable-ipv6'


Config Options


https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/squid/etc/squid/ssl_cert/myca.pem
key=/squid/etc/squid/ssl_cert/myca.pem


#always_direct allow all

ssl_bump server-first all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER


sslcrtd_program /squid/usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1


Iptables Rule

iptables -t nat -A PREROUTING -p tcp  --dport 443 --destination
162.220.xx.xx -j REDIRECT --to-ports 3129


The problem :

There are no certificate errors in the cache log and access log appears to
log the requested URL, the problem is that Squid shows the error below,
from the looks of it Squid is trying to send the request to itself on its
own  IP, my assumption is that Squid is not able to detect the proper
destination during bump "through a config fault of my own" or a missing
step. Please advice :

The following error was encountered while trying to retrieve the URL:
://162.220.xx.xx:443
<https://ipv6_1.lagg0.c052.lhr004.ix.nflxvideo.net/://162.220.244.7:443>

*Connection to 162.220.244.7 failed.*

The system returned: *(111) Connection refused*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160304/a6eb8761/attachment.html>

More information about the squid-users mailing list