2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > My own solution in conjunction with Tor + Privoxy looks like this (Note: > for Squid 3.4.13): > > # Tor acl > acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" > > # SSL bump rules > sslproxy_cert_error allow all > ssl_bump none localhost > ssl_bump none url_nobump > ssl_bump none dst_nobump > ssl_bump server-first net_bump This seems to be old config directive. New corresponding one shoud be "ssl_bump bump net_bump" And, no "peek" one? Or that's the problem? Thanks. > > # Privoxy+Tor access rules > never_direct allow tor_url > always_direct deny tor_url > always_direct allow all > > # And finally deny all other access to this proxy > http_access deny all > > # Local Privoxy is cache parent > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default > > cache_peer_access 127.0.0.1 allow tor_url > cache_peer_access 127.0.0.1 deny all > > http_port 3127 > http_port 3128 intercept > https_port 3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt > key=/usr/local/squid/etc/rootCA.key I also tried such config. With such "http_port" and "http_port intercept" with ssl-bump at last. Although curl works under test, the certificate is not the fake one. (Issuer is not my fake one) So I consider the ssl-bump not working in that case. I'd like to reply when I set it up later to test. Thanks > sslproxy_capath /etc/opt/csw/ssl/certs > sslproxy_options NO_SSLv2 NO_SSLv3 > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB > > Generally, > > works like charm. > > 06.07.15 15:22, adam900710 пишет: >> Hi all, >> >> I tried to build a ssl bumping proxy with up level proxy, but client >> failed to connect like the following. >> >> The error: >> --- >> $ curl https://www.google.co.jp -vvvv -k >> * Rebuilt URL to: https://www.google.co.jp/ >> * Trying ::1... >> * Connected to localhost (::1) port 3128 (#0) >> * Establish HTTP proxy tunnel to www.google.co.jp:443 >>> CONNECT www.google.co.jp:443 HTTP/1.1 >>> Host: www.google.co.jp:443 >>> User-Agent: curl/7.43.0 >>> Proxy-Connection: Keep-Alive >>> >> < HTTP/1.1 200 Connection established >> < >> * Proxy replied OK to CONNECT request >> * ALPN, offering http/1.1 >> * Cipher selection: > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/certs/ca-certificates.crt >> CApath: none >> * TLSv1.2 (OUT), TLS header, Certificate Status (22): >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * Unknown SSL protocol error in connection to www.google.co.jp:443 >> * Closing connection 0 >> curl: (35) Unknown SSL protocol error in connection to > www.google.co.jp:443 >> --- >> >> My squid.conf: >> --- >> # default acls/configs are ignored >> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only >> never_direct allow all >> ssl_bump peek all >> ssl_bump bump all >> http_port 3128 ssl-bump \ >> cert=/etc/squid/ssl/ca.crt \ >> key=/etc/squid/ssl/ca.key \ >> generate-host-certificates=on \ >> dynamic_cert_mem_cache_size=4MB >> --- >> >> From the cache_peer port, someone may notice that I'm using privoxy. >> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, >> or I can't ever access some sites. >> >> Here is some of my experiments: >> 1) Remove "never_direct" >> Then ssl_bump works as expected, but all traffic doesn't goes through >> the SOCKS5 proxy. So a lot of sites I can't access. >> >> 2) Use local 8118 proxy >> That works fine without any problem, but SSL_dump is needed... >> So just prove privoxy are working. >> >> Any clue? >> >> Thanks >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVmotBAAoJENNXIZxhPexG0PQIAJ0Cy3o/diVtZsCYPTZ5At8K > RuP3wHjahKhXj3xZjLiE+QKWvfr1ehZNWSj4wHF616ciX2w23QbghqNIBbV7Awpl > 7JrTIv3L2nR/19uWgmr2FnhCKf2gSeC9j9Za0aBPAv3PoPwkMNmLbdlwq3mG8pey > 6Tk8Tsh8+BlfUYXNgO+x/05eyLx6k4ZRV7009E7U3akt5ye+d8vcYXSfwL8+O+ni > JReTJ2CwXSakb+Olti+ZTJvJWxI49Szdc3FrAyh7cTe2Bgo8hDTyW9Pj5WNvINYG > +LQZUqOBF/YWtvpXbVVWAcJxYyzTGJJE/1+TtfIFEDsULTe4G74wCqsPu5VanM0= > =TEp1 > -----END PGP SIGNATURE----- > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
