[squid-users] How to configure https_port ssl-bump ?

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 21 03:25:26 UTC 2017


On 21/11/17 14:31, 赵 俊 wrote:
> Hello,I configured  https_port in squid.conf . However  when I access 
> https websites using Firefox,it shows   "Your connection is not secure" .
> 
> The error like this:
> www.amazon.com <http://www.amazon.com> used an invalid security 
> certificate.
> This certificate is valid for 23.13.186.212 only.
> Error code: SSL_ERROR_BAD_CERT_DOMAIN
> 
> My CA produced by openssl is a Self-signed certificate.
> 

There are two poitns of brokenness here.

Firstly, has your Firefox been configured with the DER certificate of 
that CA so that it trusts your CA?

Without that Firefox will not trust *any* certs generated by your Squid.


> Here is my squid.conf:
> 
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off 
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
> cert=/usr/local/squid/ssl_cert/myCA.pem 
> key=/usr/local/squid/ssl_cert/myCA.pem
> 
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> 
> ssl_bump bump all
> 

Secondly, the above configures Squid to auto-generate the server 
certificate with zero details from the real server AND zero details from 
the client TLS handshake.

All Squid has to work with at that point is the raw-IP which the client 
used to connect the TCP connection underneath everything. So of course 
that is what the cert will be bound to.


Have you read this page to learn the bare basics about what is going on?
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>
I know the page looks long, but that is the minimal details you need to 
know about TLS and the Squid SSL-Bump features.


Amos


More information about the squid-users mailing list