|
Hello All. My goal is to do ssl bumping in transparent proxy mode with domain exclude possibility. Let me tell you about squid's strange behaviour when I'm trying to do it. In browsers it says something like this: This server could not prove that it is www.ukr.net; its security certificate is from212.42.76.253. This may be caused by a misconfiguration or an attacker intercepting your connection. NET::ERR_CERT_COMMON_NAME_INVALID Subject: 212.42.76.253 Looks like squid takes the CN from the certificate as IP address of the destination domain. But, everything works smoothly when I use proxy in non transparent mode and put it to the browser directly . I can successfully bypass bad sites and do ssl bumping on others. There are no certificate errors except of some of them, you know) My OS is Centos 6.5 2.6.32-358.6.2.el6.x86_64 My squid's version: /opt/squid/sbin/squid -v Squid Cache: Version 3.5.0.2 Service Name: squid configure options: '--with-openssl' '--enable-linux-netfilter' '--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd' '--prefix=/opt/squid' '--enable-external-acl-helpers=none' '--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for' '--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2' '--enable-snmp' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience My iptables which is doing redirecting to internal squid ports: Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.121 tcp dpt:443 /* accept connection */ 2 REDIRECT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:443 /* redirect */ redir ports 3132 3 ACCEPT tcp -- 0.0.0.0/0 192.168.0.121 tcp dpt:80 /* accept connection */ 4 REDIRECT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:80 /* redirect */ redir ports 3131 Here is my squid configuration file: ___________________________ visible_hostname local.local always_direct allow all dns_nameservers 8.8.8.8 acl step2 at_step SslBump2 ssl_bump stare step2 all acl sslBumpDeniedDstDomain dstdomain ukr.net www.ukr.net ssl_bump splice sslBumpDeniedDstDomain ssl_bump bump all http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem http_port 3131 transparent https_port 3132 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem http_access allow all sslcrtd_program /opt/squid/libexec/ssl_crtd -s /opt/squid/var/ssl_db -M 4MB sslcrtd_children 15 logformat logaccess [%{%d/%b/%Y %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log daemon:/opt/squid/var/logs/access.log logaccess ______________________________________________________ Also, I've run squid like this /opt/squid/sbin/squid -N -X -d 2 and got interesting strings like: 2014/11/26 04:28:08.622| client_side.cc(3849) httpsSslBumpAccessCheckDone: sslBump needed for local=212.42.76.246:443 remote=192.168.0.122:63719 FD 40 flags=33 method 5 Here, the local and remote IP addresses are switched (I checked such lines when went through the squid directly). Please, tell me what can be wrong in configuration or squid. I can provide you with any logs which you may need. BTW, cache.log is clean. ________________ Best regards |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
