Re: sslBump: unrecognized: 'ssl_bump', unrecognized: 'https_port'

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 09/09/10 23:05, Guillaume CHAUVEL wrote:
> > Hi,
> >
> > I want to enable SSL bumping with Squid.
> > This function is disabled in Debian version of Squid (Lenny,
> > Lenny-backports and Squeeze), so I decided to compile Squid from source.
> >
> > Squid version: 3.1.8
> >
> > ./configure --prefix=/usr/local/squid \
> >     --enable-inline \
> >     --enable-async-io=8 \
> >     --enable-storeio="ufs,aufs,diskd" \
> >     --enable-removal-policies="lru,heap" \
> >     --enable-delay-pools \
> >     --enable-cache-digests \
> >     --enable-icap-client \
> >     --enable-follow-x-forwarded-for \
> >     --enable-auth="basic,digest,ntlm,negotiate" \
> .......
> > /usr/local/squid/sbin/squid output:
> > 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> > squid.conf:1155 unrecognized: 'https_port'
> > 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> > squid.conf:1156 unrecognized: 'ssl_bump'
> > 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> > squid.conf:1537 unrecognized: 'ssl_bump'
> > 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> > squid.conf:5625 unrecognized: 'sslproxy_cert_error'
> > 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> > squid.conf:5626 unrecognized: 'sslproxy_flags'
> >
> > What am I doing wrong?
>
> ./configure --help | grep ssl
>    --enable-ssl            Enable ssl gatewaying support using OpenSSL
>    --with-openssl{=PATH}   Compile with the OpenSSL libraries. The path to the
>
> It looks like '--with-ssl' doesn't work, you should use '--enable-ssl'
>
> also since 3.1.7 "sslBump" is deprecated, you should move to
> "ssl-bump" : http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_7.html
> have a look at ./src/squid.conf.documented line 1045
>
>
> > http_port 8080
> > https_port 8443 sslBump cert=/etc/ssl/certs/certificate.pem
>
> I am quite new to squid but I don't think this is going to do what you
> want judging by your config file without any "cache_peer"
> https_port as stated in the documentation is really only useful when
> running squid as an accelerator. you should use
> "http_port 8080 ssl-bump cert=/etc/ssl/certs/certificate.pem" instead
> and remove https_port

Yes, https_port is a port for receiving "native" SSL connections.

The ssl-bump feature is for converting CONNECT tunnel requests into 
normal HTTP traffic. CONNECT is a weird kind of HTTP-over-SSL-over-HTTP 
multiple-wrapped request thing. ssl-bump strips away the outer two 
layers of wrapping. It only works when browsers etc which are configured 
to send their HTTPS via an HTTP proxy.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2