[squid-users] HTTPS proxy working in non-transparent mode, failing in transparent mode

[Amos Jeffries]

On 23/08/17 05:17, David Salisbury wrote:
> I've got an install of Squid that I'm trying to get running as an HTTP 
> and HTTPS proxy.  I've got some Squid experience, but up to this point 
> only using it as an HTTP proxy (transparent, in that case).
> 
> I've gotten the HTTPS portion of the proxy working, if I run it in 
> non-transparent mode; the HTTP portion is working as well.  I've 
> installed the appropriate CA cert on the client machine I'm testing 
> with, and have pointed the browser of the client machine to the IP and 
> port of the Squid proxy.  Both HTTP and HTTPS work well, and I can 
> successfully use Squid's ACL functions to whitelist and blacklist 
> certain sites.

As they should, Good.

> 
> BUT, my ultimate goal is transparent mode for the HTTP and HTTPS 

:-( "transparent mode", aka interception, aka MITM attack is a feature 
of last-resort for handling broken clients.

> proxying, and as soon as put Squid in transparent mode and take off the 
> proxy information of the browser, I start to get certificate errors on 
> the HTTPS-based sites.  HTTP proxying still works fine, but the HTTPS 
> proxying breaks.
> 
> Does anyone have any suggestions as to what to look for that may be 
> causing that?  I don't understand what could break just switching 
> between non-transparent and transparent modes.

TLS/SSL is explicitly designed to break when being MITM'd. It is called 
security. When used properly it *cannot* by MITM'd, sadly most web 
traffic does not use it that way.

Are you using SSL-Bump functionality?

If not that is your problem. If you are, what is your config?


Amos