[squid-users] SSL intercept in explicit mode

Amos Jeffries squid3 at treenet.co.nz
Sat Apr 14 07:59:20 UTC 2018


On 14/04/18 10:05, MK2018 wrote:
> Aaron Turner wrote
>> Thanks Yuri.  That helps.  As for the "sslproxy_flags
>> DONT_VERIFY_PEER", yes I understand the risks.  In my specific case,
>> where my "users" are actually a bunch of automated web clients doing
>> some web crawling it's the right thing to do.
>> --
>> Aaron Turner
> 
> I tried using bump all myself with actual human beings (200+) using browsers
> ranging from Mozilla Firefox, Seamonkey, Chrome, to Safari and Opera.
> 
> I don't know why I had to face it, but with bump all I got many errors with
> many websites. It only worked with me like this:
> 
> http_port 3128 ssl-bump cert=/ssl_cert/myCA.pem 
> generate-host-certificates=on dynamic_cert_mem_cache_size=999MB
> sslcrtd_children 100
> ssl_bump none BadSSL
> ssl_bump server-first all
> 

FYI this is "server-first all". peek and splice before "bump all" is
similar but also different in ways that allow it to handle more problems
in better ways.


> Like you see, I'm using server-first word in place of bump word. This is the
> only way I got it to work with natural human browsing. I also could not use
> intercept mode, because every major browser considers it a crime to let it
> go! They would just spit all sorts of errors at user's face and have you
> clean the spitting up :D :D

You do need the browser to trust your CA certificate. This is an
absolute requirement of using SSL-Bump features. Always has been.

> 
> Of course, BadSSL above is the ACL for all sites using the new fiasco of
> hardcoded certificates (certificate-pinning), otherwise, they don't pass at
> all!
> 

Indeed, its quite sad situation really. Sites using actually secure TLS
have to downgrade to using the broken CA system for passing grades on
sites that test only the "TLS everywhere" groups over-hyped way of doing
things.

Amos


More information about the squid-users mailing list