Brad Barnett wrote:
Hey all,
I've compiled squid-3.HEAD-20080728.tar.gz, and all seems to be working
fine in a general respect.
However, I can't seem to get sslBump working. I have squid setup as a
transparent proxy, and that part is working fine. However, when I add
the following lines, and use iptables to redirect port 443 traffic to
squid, generally squid just sits, stalled, forever.
IIRC, sslBump was not designed to allow interception of port 443.
What it does is decrypt HTTPS sent as CONNECT requests through the proxy.
There was some discussion about ways to hack it up to do the
interception. I think there may have been a little more coding needed
for that. You will have to google the archives and find the original
threads on this.
Amos
I turned up the debug log, but didn't even see any cogent information
indicating that sslbump, or any ssl traffic was being attempted.
Any ideas? Note, while I show 'http_port 3129' below, I also tried using
port 3128, as per the example on the wiki.
Thanks
# configure the HTTP port to bump CONNECT requests
http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
key=/usr/local/squid/etc/server.key
# avoid bumping requests to sites that Squid cannot proxy well
acl broken_sites dstdomain .webax.com
ssl_bump deny broken_sites
ssl_bump allow all
# ignore certain certificate errors or
# ignore errors with certain cites (very dangerous!)
acl TrustedName url_regex ^https://weserve.badcerts.com/
acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow TrustedName
sslproxy_cert_error allow BogusError
sslproxy_cert_error deny all
Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8
