|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I use 3.4 version. Yes, this is old directives. 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception environment. 06.07.15 20:21, adam900710 пишет: > 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >> > My own solution in conjunction with Tor + Privoxy looks like this (Note: > for Squid 3.4.13): > > # Tor acl > acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" > > # SSL bump rules > sslproxy_cert_error allow all > ssl_bump none localhost > ssl_bump none url_nobump > ssl_bump none dst_nobump > ssl_bump server-first net_bump > > This seems to be old config directive. > > New corresponding one shoud be "ssl_bump bump net_bump" > > > And, no "peek" one? Or that's the problem? > > > Thanks. > > # Privoxy+Tor access rules > never_direct allow tor_url > always_direct deny tor_url > always_direct allow all > > # And finally deny all other access to this proxy > http_access deny all > > # Local Privoxy is cache parent > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default > > cache_peer_access 127.0.0.1 allow tor_url > cache_peer_access 127.0.0.1 deny all > > http_port 3127 > http_port 3128 intercept > https_port 3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt > key=/usr/local/squid/etc/rootCA.key > > I also tried such config. > > With such "http_port" and "http_port intercept" with ssl-bump at last. > > Although curl works under test, the certificate is not the fake one. > > (Issuer is not my fake one) > > So I consider the ssl-bump not working in that case. > > > I'd like to reply when I set it up later to test. > > > Thanks > > sslproxy_capath /etc/opt/csw/ssl/certs > sslproxy_options NO_SSLv2 NO_SSLv3 > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB > > Generally, > > works like charm. > > 06.07.15 15:22, adam900710 пишет: > >>> Hi all, > >>> > >>> I tried to build a ssl bumping proxy with up level proxy, but client > >>> failed to connect like the following. > >>> > >>> The error: > >>> --- > >>> $ curl https://www.google.co.jp -vvvv -k > >>> * Rebuilt URL to: https://www.google.co.jp/ > >>> * Trying ::1... > >>> * Connected to localhost (::1) port 3128 (#0) > >>> * Establish HTTP proxy tunnel to www.google.co.jp:443 > >>>> CONNECT www.google.co.jp:443 HTTP/1.1 > >>>> Host: www.google.co.jp:443 > >>>> User-Agent: curl/7.43.0 > >>>> Proxy-Connection: Keep-Alive > >>>> > >>> < HTTP/1.1 200 Connection established > >>> < > >>> * Proxy replied OK to CONNECT request > >>> * ALPN, offering http/1.1 > >>> * Cipher selection: > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > >>> * successfully set certificate verify locations: > >>> * CAfile: /etc/ssl/certs/ca-certificates.crt > >>> CApath: none > >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22): > >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): > >>> * Unknown SSL protocol error in connection to www.google.co.jp:443 > >>> * Closing connection 0 > >>> curl: (35) Unknown SSL protocol error in connection to > www.google.co.jp:443 > >>> --- > >>> > >>> My squid.conf: > >>> --- > >>> # default acls/configs are ignored > >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only > >>> never_direct allow all > >>> ssl_bump peek all > >>> ssl_bump bump all > >>> http_port 3128 ssl-bump \ > >>> cert=/etc/squid/ssl/ca.crt \ > >>> key=/etc/squid/ssl/ca.key \ > >>> generate-host-certificates=on \ > >>> dynamic_cert_mem_cache_size=4MB > >>> --- > >>> > >>> From the cache_peer port, someone may notice that I'm using privoxy. > >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, > >>> or I can't ever access some sites. > >>> > >>> Here is some of my experiments: > >>> 1) Remove "never_direct" > >>> Then ssl_bump works as expected, but all traffic doesn't goes through > >>> the SOCKS5 proxy. So a lot of sites I can't access. > >>> > >>> 2) Use local 8118 proxy > >>> That works fine without any problem, but SSL_dump is needed... > >>> So just prove privoxy are working. > >>> > >>> Any clue? > >>> > >>> Thanks > >>> _______________________________________________ > >>> squid-users mailing list > >>> squid-users@xxxxxxxxxxxxxxxxxxxxx > >>> http://lists.squid-cache.org/listinfo/squid-users > >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0 G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U= =Mt1T -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
