Tried your config in my environment. Although curl can get to the sites through privoxy, just like the log says: ------ 1436230195.213 432 ::1 TCP_TUNNEL/200 4146 CONNECT www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 - ------ But the certificate got is still the original one, not the fake one: ------ * Server certificate: * subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com * start date: 2015-06-18 08:52:56 GMT * expire date: 2015-09-16 00:00:00 GMT * issuer: C=US; O=Google Inc; CN=Google Internet Authority G2 * SSL certificate verify ok. ------ Does it works only in 3.4? Anyway, I'll try to downgrade squid and try it again. Thanks 2015-07-06 22:23 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I use 3.4 version. Yes, this is old directives. > > 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception > environment. > > 06.07.15 20:21, adam900710 пишет: >> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >>> >> My own solution in conjunction with Tor + Privoxy looks like this (Note: >> for Squid 3.4.13): >> >> # Tor acl >> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" >> >> # SSL bump rules >> sslproxy_cert_error allow all >> ssl_bump none localhost >> ssl_bump none url_nobump >> ssl_bump none dst_nobump >> ssl_bump server-first net_bump >> > This seems to be old config directive. >> > New corresponding one shoud be "ssl_bump bump net_bump" >> >> > And, no "peek" one? Or that's the problem? >> >> > Thanks. >> >> # Privoxy+Tor access rules >> never_direct allow tor_url >> always_direct deny tor_url >> always_direct allow all >> >> # And finally deny all other access to this proxy >> http_access deny all >> >> # Local Privoxy is cache parent >> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default >> >> cache_peer_access 127.0.0.1 allow tor_url >> cache_peer_access 127.0.0.1 deny all >> >> http_port 3127 >> http_port 3128 intercept >> https_port 3129 intercept ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt >> key=/usr/local/squid/etc/rootCA.key >> > I also tried such config. >> > With such "http_port" and "http_port intercept" with ssl-bump at last. >> > Although curl works under test, the certificate is not the fake one. >> > (Issuer is not my fake one) >> > So I consider the ssl-bump not working in that case. >> >> > I'd like to reply when I set it up later to test. >> >> > Thanks >> >> sslproxy_capath /etc/opt/csw/ssl/certs >> sslproxy_options NO_SSLv2 NO_SSLv3 >> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M >> 4MB >> >> Generally, >> >> works like charm. >> >> 06.07.15 15:22, adam900710 пишет: >> >>> Hi all, >> >>> >> >>> I tried to build a ssl bumping proxy with up level proxy, but client >> >>> failed to connect like the following. >> >>> >> >>> The error: >> >>> --- >> >>> $ curl https://www.google.co.jp -vvvv -k >> >>> * Rebuilt URL to: https://www.google.co.jp/ >> >>> * Trying ::1... >> >>> * Connected to localhost (::1) port 3128 (#0) >> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443 >> >>>> CONNECT www.google.co.jp:443 HTTP/1.1 >> >>>> Host: www.google.co.jp:443 >> >>>> User-Agent: curl/7.43.0 >> >>>> Proxy-Connection: Keep-Alive >> >>>> >> >>> < HTTP/1.1 200 Connection established >> >>> < >> >>> * Proxy replied OK to CONNECT request >> >>> * ALPN, offering http/1.1 >> >>> * Cipher selection: >> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> >>> * successfully set certificate verify locations: >> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt >> >>> CApath: none >> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22): >> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443 >> >>> * Closing connection 0 >> >>> curl: (35) Unknown SSL protocol error in connection to >> www.google.co.jp:443 >> >>> --- >> >>> >> >>> My squid.conf: >> >>> --- >> >>> # default acls/configs are ignored >> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only >> >>> never_direct allow all >> >>> ssl_bump peek all >> >>> ssl_bump bump all >> >>> http_port 3128 ssl-bump \ >> >>> cert=/etc/squid/ssl/ca.crt \ >> >>> key=/etc/squid/ssl/ca.key \ >> >>> generate-host-certificates=on \ >> >>> dynamic_cert_mem_cache_size=4MB >> >>> --- >> >>> >> >>> From the cache_peer port, someone may notice that I'm using privoxy. >> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, >> >>> or I can't ever access some sites. >> >>> >> >>> Here is some of my experiments: >> >>> 1) Remove "never_direct" >> >>> Then ssl_bump works as expected, but all traffic doesn't goes through >> >>> the SOCKS5 proxy. So a lot of sites I can't access. >> >>> >> >>> 2) Use local 8118 proxy >> >>> That works fine without any problem, but SSL_dump is needed... >> >>> So just prove privoxy are working. >> >>> >> >>> Any clue? >> >>> >> >>> Thanks >> >>> _______________________________________________ >> >>> squid-users mailing list >> >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >> >>> http://lists.squid-cache.org/listinfo/squid-users >> >>> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ > xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC > xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0 > G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu > Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh > Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U= > =Mt1T > -----END PGP SIGNATURE----- > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
