Alex Font wrote:
Hi All, I've recently installed Squid 3.1 and configured with sslBump feature in order to inspect the https traffic using the squid-in-the-middle method, (for legal purposes). The browser gets the certificate right (fake certificate), but when i make a tcpflow to see the http headers, i see all the traffic encrypted... is there a way to inspect the traffic? what i'm doing wrong?
SslBump does not prevent traffic being encrypted. It decrypts _inside_ squid and re-encrypts on the outbound.
I configured squid sslBump feature as follows: ######################## log_mime_hdrs on debug_options ALL,9 ######################### #visible_hostname localhost ssl_bump allow all acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH sslproxy_cert_error allow BogusError sslproxy_cert_error deny all always_direct allow all ######################################################################## cache_store_log /usr/var/logs/store.log acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.26.0.0/16 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all #http_port 3128 http_port 3128 sslBump cert=/usr/etc/nova.pem hierarchy_stoplist cgi-bin ? refresh_pattern ^http: 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth refresh_pattern ^https: 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /usr/var/cache I also tried with c-icap server and configured Squid as a client of it, but i receive a lot of error such as: Laucher.cc(72) noteAdaptationQueryAbort: cannot retry the failed ICAP xaction; tries: 1; final: 1; AsyncJob.cc(218) dial: Adaptation::Icap::Xaction::noteCommConnected threw exception: cannot connect to ICAP service.
Well, there is your problem. Squid "cannot connect to ICAP service" when you configured it to do so. Fix that and the ICAP service receives the decrypted traffic.
Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
