The following "works" for me: # intercept for transparent proxy of ssl connections https_port 3130 name=transproxyssl intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ca.pem # just testing with my laptop acl james_src arp 11:11:11:11:11:11 # name of port used for transparent ssl interception acl transproxyssl myportname transproxyssl ssl_bump stare transproxyssl james_src ssl_bump bump james_src ssl_bump splice all But "works" is probably a bit of an exaggeration. I was seeing lots of this sort of thing in the logs: Error negotiating SSL on FD 75: error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry (1/-1/0) hold write on SSL connection on FD 65 BUG 3556: FD 112 is not an open socket. assertion failed: Read.cc:69: "fd_table[conn->fd].halfClosedReader != NULL" And squid restarting a lot. This was with squid-3.5.0.2-20141121-r13666 and so hopefully I was seeing some bugs that are now fixed, and it's not that I am abusing the configuration or something... I'm upgrading to the latest snapshot now for further testing. James > -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On > Behalf Of Vadim Rogoziansky > Sent: Friday, 19 December 2014 11:29 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Transparent proxy with Peek and Splice feature. > > Any ideas, any thoughts? > Thanks. > > > 11/29/2014 6:17 AM, Amos Jeffries написав(ла): > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote: > >> Hello Amos. > >> > >> Thank you for answer. > >> > >> There was made an investigation related to squid's peek and splice > >> issues in transparent mode. One-line explanation is as follows - in > >> intercept mode squid can't get a server host name from the request > >> header and uses clent IP address instead for both fake cert > >> generation and as a SNI record in server bump SSL handshaking. This > >> is the root of the problem. However this can be fixed if squid uses > >> SNI field taken from client TLS Hello message for that purposes. > >> Can you hack squid in this way? What do you think? > > I think peek-n-splice is supposed to already be doing that. > > > > However it does depend on whether you are bumping the connection at > > step 1 (before ClientHello), step 2 (after ClientHello, before > > ServerHello), or step 3 (after both ClientHello and ServerHello) of > > the TLS handshake whether the SNI details are present. > > > > Amos > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.22 (MingW32) > > > > > iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPw > pHP > > > vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2Ro > Z5 > > 7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev > > > vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjud > MV > > > 8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf > 3 > > > q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxU > M= > > =44aG > > -----END PGP SIGNATURE----- > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
