[squid-users] How to Configure Proxy Chaining with ssl-bump

Michael Chen michaelchen8176 at gmail.com
Fri Mar 20 13:13:03 UTC 2020


Hi Amos,
Thanks for your explanation.
Could you instruct me how to install squid v5 based on CentOS 7?
Based on url
https://wiki.squid-cache.org/SquidFaq/BinaryPackages#KnowledgeBase.2FCentOS.Stable_Repository_Package_.28like_epel-release.29,
CentOS seems not support squid v5.

BR,
Michael

Amos Jeffries <squid3 at treenet.co.nz> 於 2020年3月20日 週五 下午5:29寫道:

> On 20/03/20 8:27 pm, Michael Chen wrote:
> > Hi Amos,
> > May I know which function Squid v3.5.28 cannot do for my scenario?
> > Because Squid v3.5 still has command of cache_peer and ssl .....
> >
>
> TLS is a volatile environment, with many changes going on constantly.
> Squid-3 has been deprecated since 2018 and is far behind in support
> needed for current TLS practices.
>
> Especially when bumping you should always have the latest Squid version.
>
>
> This first bit can be tested with Squid-3. It is just about getting a
> secure connection to the peer, any Squid should be able to do that.
>
> Ensure that the peer proxy is delivering its CA *chain* properly.
>  * All the intermediates should be supplied during the server handshake.
>  * cache_peer should only need the root CA for that chain. Configured in
> the sslca= or tls-ca= option.
>
> At this point your Squid should be able to pass traffic to the peer.
> Test that with regular http:// URL requests to your Squid. *Not* HTTPS
> or bumped traffic.
>
>
> You can test this following with Squid-3, but do not expect it to work
> very well. Squid-4 is better in a lot of cases, but still not completely.
>
> Your ssl_bump rules should peek at the client cert, then stare at the
> server cert, then bump the crypto. Like so:
>
>  ssl_bump peek  step1
>  ssl_bump stare all
>  ssl_bump bump  all
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200320/1ec16094/attachment.html>


More information about the squid-users mailing list