[squid-users] Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work
Marcus Kool
marcus.kool at urlfilterdb.com
Thu May 18 10:59:16 UTC 2017
You have not stated which version of Squid you are using but my guess is that it is 3.5.x.
facebook app and other apps use port 443 but do not use HTTPS and therefore Squid does not how to bump it and consequently the app does not work.
What you need is the not yet stable Squid 4.0 and use the option
on_unsupported_protocol tunnel all
so that the non-HTTPS protocols get through without being bumped.
Marcus
On 18/05/17 07:26, arun.xavier wrote:
> I have configured squid with ssl-bump (intercept mode) and it works as
> expected while accessing secure sites from browsers.
>
> What I have done so far.
>
> - Configured squid.
> - created a root& intermediate certificate for dynamic cert generation in
> squid.
> installed the same root certificate in mobile device(iphone 6 -iOS-10).
> - Every website works on chrome/safari.
>
> But apps like facebook,twitter are not working(showing network error).
>
> When checking cache log of squid, I found the below log.
>
> /Error negotiating SSL connection on FD 12: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> /
> It looks like initial CONNECT/Handshake is not working.
>
> what I have changed in squid.conf
> -----------------------------------------------------------------
> acl localnet src 172.16.0.0/12
> acl localnet src fe80::/10
> acl allow localnet
> ssl_bump bump all
> always_direct allow all
> http_port localhost:3128
> http_port localhost:3129 intercept
> https_port localhost:3130 intercept ssl-bump generate-host-certificates=on
> cert=/etc/squid/cert/cert.pem
> key=/etc/squid/cert/key.pem
> strip_query_terms off
> ----------------------------------------------------------------
>
> Any idea how to fix this? or where to check? What might be my mistake ?
> PS:
> I use squid to get logs of all internet traffic from mobile devices.
> Overview of my intented system is like this:
> SmartPhone---->VPN--->Squid--->Internet
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list