/configure --prefix=/opt --enable-icap-client --with-openssl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none
Full squid.conf:
#####################################
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access allow all
sslproxy_cert_error allow all
sslproxy_cert_error deny all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER
sslproxy_options ALL
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5
http_port 3129 ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
external_acl_type sni ttl=30 concurrency=10 children-max=20 children-startup=5 %ssl::>sni /opt/etc/squid/bumphelper.py
acl sni_exclusions external sni
acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2
ssl_bump peek tcp_level all
ssl_bump splice client_hello_peeked sni_exclusions
ssl_bump bump all
logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %ssl::bump_mode %ssl::>sni %ssl::>cert_subject
access_log syslog:daemon.info mine
refresh_pattern -i (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /opt/var
#####################################
bumphelper.py:
#####################################
#!/usr/bin/python
import sys
while True:
req = sys.stdin.readline()
if not req:
break
id, sni = req.split()
sys.stderr.write('request %r\n' % req)
sys.stderr.flush()
if sni == 'google.com': # bypass
sys.stdout.write('{} OK\n'.format(id))
sys.stdout.flush()
else:
sys.stdout.write('{} ERR\n'.format(id))
sys.stdout.flush()
#####################################
The tests:
root@kali:~/test# wget -d https://www.google.com
######################################
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
URI encoding = `UTF-8'
--2015-05-28 17:44:31-- https://www.google.com/
Connecting to 192.168.1.6:3129... connected.
Created socket 4.
Releasing 0x092c6730 (new refcount 0).
Deleting unused 0x092c6730.
---request begin---
CONNECT www.google.com:443 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
---request end---
proxy responded with: [HTTP/1.1 200 Connection established
]
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: www.google.com
Connection: Close
Proxy-Connection: Keep-Alive
---request end---
Proxy request sent, awaiting response...
---response begin---
HTTP/1.1 503 Service Unavailable
Server: squid/3.5.4
Mime-Version: 1.0
Date: Thu, 28 May 2015 23:44:33 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3899
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 32
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from analysis
Via: 1.1 analysis (squid/3.5.4)
Connection: close
---response end---
503 Service Unavailable
URI content encoding = `utf-8'
2015-05-28 17:44:32 ERROR 503: Service Unavailable.
########################################
access.log entry for the above wget:
#####################################
May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] "CONNECT www.google.com:443 HTTP/1.1" 200 0 TAG_NONE:HIER_DIRECT peek www.google.com -
May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] "GET https://www.google.com/ HTTP/1.1" 503 4242 TAG_NONE:HIER_NONE - www.google.com -
#####################################
sudo /opt/sbin/squid -d 1 -N -f /opt/etc/squid/squid.conf
######################################
2015/05/28 17:44:33| Error negotiating SSL on FD 14: error:00000000:lib(0):func(0):reason(0) (5/-1/32)
######################################
I see the same type of thing for apple.com and yahoo.com. I'm assuming this is HSTS, but I could be wrong. MSN however works fine with the above:
root@kali:~/test# wget -d https://www.msn.com
######################################
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
URI encoding = `UTF-8'
--2015-05-28 18:24:50-- https://www.msn.com/
Connecting to 192.168.1.6:3129... connected.
Created socket 4.
Releasing 0x0a6493c0 (new refcount 0).
Deleting unused 0x0a6493c0.
---request begin---
CONNECT www.msn.com:443 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
---request end---
proxy responded with: [HTTP/1.1 200 Connection established
]
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: www.msn.com
Connection: Close
Proxy-Connection: Keep-Alive
---request end---
Proxy request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
######################################
May 28 18:24:51 analysis squid: 192.168.1.91 - - [28/May/2015:18:24:51 -0600] "CONNECT www.msn.com:443 HTTP/1.1" 200 0 TAG_NONE:HIER_DIRECT peek www.msn.com -
May 28 18:24:52 analysis squid: 192.168.1.91 - - [28/May/2015:18:24:52 -0600] "GET https://www.msn.com/ HTTP/1.1" 200 38613 TCP_MISS:HIER_DIRECT bump www.msn.com -
######################################
I found that adding %ssl::bump_mode to logging sure helped out with where I was at in the steps. I also tried the new acl ssl::server_name instead of using the external helper, but I got the same results with google, yahoo, and apple. Even setting ssl_bump splice all didn't work well...it appears that yahoo, google, and apple are peek resistant. I'll keep digging. Thank you.
James
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
