[squid-users] Squid and SSLBump

Alex Rousskov rousskov at measurement-factory.com
Thu Nov 21 18:18:18 UTC 2019


On 11/21/19 9:25 AM, Monah Baki wrote:

> The certs/keys are legit from my company.

Is your signing certificate (i.e. wildcardcert.pem) a CA certificate? If
not, then you cannot use it to sign other certificates. SslBump with
dynamic certificate generation requires a CA certificate to sign the
generated certificates.

CA certificates have a "true" CA basic constraint:

    $ openssl x509 -in wildcardcert.pem -noout -text | \
      grep -A1 'Basic Constraints'
                X509v3 Basic Constraints:
                   CA:TRUE


If they are CA certificates, did you import them into the browser/OS
trusted certificates store? In most environments, a browser will not. by
default, trust a CA certificate that Squid can use to sign dynamically
generated certificates.

Alex.


> My squid.conf is very simple since it's for proof of concept
> 
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>     # RFC1918 possible
> internal network
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>  # RFC1918
> possible internal network
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918
> possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 172.16.84.242:3128 <http://172.16.84.242:3128> ssl-bump \
>   cert=/etc/squid/certs/wildcardcert.pem \
>   key=/etc/squid/certs/wildcardkey.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> acl step1 at_step SSlBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 16MB
> sslcrtd_children 32 startup=5 idle=1
> 
> cache_dir ufs /var/spool/squid 100 16 256
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> strip_query_terms off
> # logformat squid %>a - %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru" %Hs
> %st "%{Referer}>h" "%{User-agent}>h"
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A
> %mt [%>h] [%<h]
> access_log  /var/log/squid/access.log squid
> 
> 
> Browsing http sites works fine, but I am having issues with https
> 
> In my access.log I get:
> 1574346211.538     30 172.16.84.241 TAG_NONE/200 0 CONNECT
> www.cnn.com:443 <http://www.cnn.com:443> - HIER_DIRECT/www.cnn.com
> <http://www.cnn.com> - [User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
> Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 0\r\nDNT:
> 1\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nHost:
> www.cnn.com:443 <http://www.cnn.com:443>\r\n] [-]
> 
> 
> In Internet explorer I get the following:
> 
> Certificate Error: Navigation Blocked
> 
> 
>   There is a problem with this website’s security certificate.
> 
> 
>  
> 	
> 
> 
>       The security certificate presented by this website is not secure.
> 
>       Security certificate problems may indicate an attempt to fool you
>       or intercept any data you send to the server.	
> 
>  	
> 
> 
>     *We recommend that you close this webpage and do not continue to
>     this website.*
> 
> 
>     *
>     *
> 
> 
>     * *
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list