[squid-users] How to Configure Proxy Chaining with ssl-bump

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 20 09:29:14 UTC 2020


On 20/03/20 8:27 pm, Michael Chen wrote:
> Hi Amos,
> May I know which function Squid v3.5.28 cannot do for my scenario?
> Because Squid v3.5 still has command of cache_peer and ssl .....
> 

TLS is a volatile environment, with many changes going on constantly.
Squid-3 has been deprecated since 2018 and is far behind in support
needed for current TLS practices.

Especially when bumping you should always have the latest Squid version.


This first bit can be tested with Squid-3. It is just about getting a
secure connection to the peer, any Squid should be able to do that.

Ensure that the peer proxy is delivering its CA *chain* properly.
 * All the intermediates should be supplied during the server handshake.
 * cache_peer should only need the root CA for that chain. Configured in
the sslca= or tls-ca= option.

At this point your Squid should be able to pass traffic to the peer.
Test that with regular http:// URL requests to your Squid. *Not* HTTPS
or bumped traffic.


You can test this following with Squid-3, but do not expect it to work
very well. Squid-4 is better in a lot of cases, but still not completely.

Your ssl_bump rules should peek at the client cert, then stare at the
server cert, then bump the crypto. Like so:

 ssl_bump peek  step1
 ssl_bump stare all
 ssl_bump bump  all


Amos


More information about the squid-users mailing list