Re: Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A

[Eliezer Croitoru <eliezer@xxxxxxxxxxxx>]

On 10/18/2013 04:59 AM, Larry Zhao wrote:
> Hi, Eliezer,
>
> Yes, my problem to solve is only to proxy to this specific host, no
> other subdomains need considering.
Well it depends...
If you want to intercept only one DOMAIN or one tree of domains you need 
to issue different certificates or a mimic of a certificate.
Also you need the clients to accept certificates from you own server.

It's not that simple just note that..

> And to be honest, I am new to this part, from what I could get from
> the page you mentioned, I need to use ssl-bump? Am I right?
If you have one combined key\pem file of both the private key and the 
certificate you can use only the cert part..

take a small peak at:
https://workaround.org/certificate-authority

I will continue with it later.

Eliezer
> --
>
> Cheers ~
>
> Larry
>
>
> On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
> > Hey,
> >
> > Only to this specific host or also all the subdomains etc..
> > It differs a bit..
> > A small look at this wiki:
> > http://wiki.squid-cache.org/Features/MimicSslServerCert
> >
> > Will calrify some doubts and situations which you will might see some
> > problem.
> >
> > Eliezer
> >
> >
> > On 10/17/2013 06:44 PM, Larry Zhao wrote:
> > > Hi, Guys,
> > >
> > >
> > > I am trying to setup a SSL proxy for one of my internal servers to
> > > visit `https://www.googleapis.com` using Squid, to make my Rails
> > > application on that server to reach `googleapis.com` via the proxy.
> > >
> > >
> > > I am new to this, so my approach is to setup a SSL transparent proxy
> > > with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of
> > > ssl key and crt, and configure squid like this:
> > >
> > >
> > >       http_port 443 transparent cert=/home/larry/ssl/server.csr
> > > key=/home/larry/ssl/server.key
> > >
> > >
> > > And leaves almost all other configurations default. The authorization
> > > of the dir that holds key/crt is `drwxrwxr-x  2 proxy proxy    4096
> > > Oct 17 15:45 ssl`
> > >
> > >
> > > Back on my dev laptop, I put `<proxy-server-ip> www.googleapis.com` in
> > > my `/etc/hosts` to make the call goes to my proxy server.
> > >
> > >
> > > But when I try it in my rails application, I got:
> > >
> > >
> > >       SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A:
> > > unknown protocol
> > >
> > >
> > > And I also tried with openssl in cli:
> > >
> > >
> > >       openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1
> > > | grep "^SSL"
> > >
> > >       SSL_connect:before/connect initialization
> > >
> > >       SSL_connect:SSLv2/v3 write client hello A
> > >
> > >       SSL_connect:error in SSLv2/v3 read server hello A
> > >
> > >       SSL_connect:error in SSLv2/v3 read server hello A
> > >
> > >
> > >
> > > Where did I do wrong?
> > >
> > > --
> > >
> > > Cheers ~
> > >
> > > Larry