I tried using ssldump and tshark and I can't seem to get this working. I am using squid's private key to try to decrypt the traffic. The connection goes from the client (192.168.2.2) to squid server (192.168.2.1) on port 3128. If I understand correctly, the client establishes a connection with squid on port 3128 and then squid establishes a connection with https://www.gmail.com on port 443. Shouldn't I be able to decrypt the connection between the client and the squid server in order to see the traffic that is being sent to gmail? On Feb 3, 2012, at 2:08 PM, "Alfonso Alejandro Reyes Jimenez" <aareyes@xxxxxxxxxxxxx> wrote: > Sorry. SSLDUMP is like tcpdump but for ssl, it Works on layer 3 and has nothing to do with squid, that what we use. > > Regards. > > > > -----Mensaje original----- > De: PS [mailto:packetstack@xxxxxxxxx] > Enviado el: viernes, 03 de febrero de 2012 12:56 p.m. > Para: Alfonso Alejandro Reyes Jimenez > CC: squid-users@xxxxxxxxxxxxxxx > Asunto: Re: Capturing HTTPS traffic > > Could you please be a little more specific? Is there something else called ssldump that I am supposed to use? > > This is what my config looks like. I am currently using ssl_bump. > > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow localhost manager > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access deny all > http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/squid.pem > always_direct allow all > ssl_bump allow all > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > coredump_dir /usr/local/squid/var/cache/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /usr/local/squid/var/logs/access.log squid > > Thanks for the quick response! > > On Feb 3, 2012, at 1:20 PM, Alfonso Alejandro Reyes Jimenez wrote: > >> Hi. >> >> If you have the certifícate information you may use ssldump to decode the information. I hope this helps. >> >> >> Regards. >> >> -----Mensaje original----- >> De: PS [mailto:packetstack@xxxxxxxxx] Enviado el: viernes, 03 de >> febrero de 2012 12:11 p.m. >> Para: squid-users@xxxxxxxxxxxxxxx >> Asunto: Capturing HTTPS traffic >> >> Hello, >> >> I am currently running the following version of Squid: >> >> Squid Cache: Version 3.2.0.14-20120202-r11500 configure options: '--enable-ssl' '--enable-ssl-crtd' >> >> I configured it so that certs are generated on the fly and I am able to get to HTTPS websites without getting a certificate warning. >> >> I want to do a packet capture of all HTTPS traffic while in cleartext. I would think that it can be done on the Squid box. Is that possible? >> >> If I use tcpdump on the Squid box, I only see the encrypted traffic. Do I have to recompile Squid with another configuration option to be able to do what I want to do? >> >> Thanks >
