Some extra clue: Cache log says: ------ 2015/07/07 08:55:54 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9 2015/07/07 08:55:55 kid1| storeLateRelease: released 0 objects 2015/07/07 08:55:57 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" ------ So I tried adding "ssl" at the end of "cache_peer" directive. And it still fails but with different error, squid error page now. Google also found some mail archive from Amos, which implies that, squid doesn't yet support CONNECT + SSL/TLS cache_peer. http://squid-web-proxy-cache.1019090.n4.nabble.com/Behind-enemy-lines-squid-behind-proxy-td4668223.html If so, I think I'd better seek other solutions like use direct_allow with tsocks/proxychains... Thanks. 2015-07-07 8:54 GMT+08:00 adam900710 <adam900710@xxxxxxxxx>: > Tried your config in my environment. > Although curl can get to the sites through privoxy, just like the log says: > ------ > 1436230195.213 432 ::1 TCP_TUNNEL/200 4146 CONNECT > www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 - > ------ > > But the certificate got is still the original one, not the fake one: > ------ > * Server certificate: > * subject: C=US; ST=California; L=Mountain View; O=Google Inc; > CN=www.google.com > * start date: 2015-06-18 08:52:56 GMT > * expire date: 2015-09-16 00:00:00 GMT > * issuer: C=US; O=Google Inc; CN=Google Internet Authority G2 > * SSL certificate verify ok. > ------ > > Does it works only in 3.4? > Anyway, I'll try to downgrade squid and try it again. > > Thanks > > 2015-07-06 22:23 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> I use 3.4 version. Yes, this is old directives. >> >> 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception >> environment. >> >> 06.07.15 20:21, adam900710 пишет: >>> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >>>> >>> My own solution in conjunction with Tor + Privoxy looks like this (Note: >>> for Squid 3.4.13): >>> >>> # Tor acl >>> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" >>> >>> # SSL bump rules >>> sslproxy_cert_error allow all >>> ssl_bump none localhost >>> ssl_bump none url_nobump >>> ssl_bump none dst_nobump >>> ssl_bump server-first net_bump >>> > This seems to be old config directive. >>> > New corresponding one shoud be "ssl_bump bump net_bump" >>> >>> > And, no "peek" one? Or that's the problem? >>> >>> > Thanks. >>> >>> # Privoxy+Tor access rules >>> never_direct allow tor_url >>> always_direct deny tor_url >>> always_direct allow all >>> >>> # And finally deny all other access to this proxy >>> http_access deny all >>> >>> # Local Privoxy is cache parent >>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default >>> >>> cache_peer_access 127.0.0.1 allow tor_url >>> cache_peer_access 127.0.0.1 deny all >>> >>> http_port 3127 >>> http_port 3128 intercept >>> https_port 3129 intercept ssl-bump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt >>> key=/usr/local/squid/etc/rootCA.key >>> > I also tried such config. >>> > With such "http_port" and "http_port intercept" with ssl-bump at last. >>> > Although curl works under test, the certificate is not the fake one. >>> > (Issuer is not my fake one) >>> > So I consider the ssl-bump not working in that case. >>> >>> > I'd like to reply when I set it up later to test. >>> >>> > Thanks >>> >>> sslproxy_capath /etc/opt/csw/ssl/certs >>> sslproxy_options NO_SSLv2 NO_SSLv3 >>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M >>> 4MB >>> >>> Generally, >>> >>> works like charm. >>> >>> 06.07.15 15:22, adam900710 пишет: >>> >>> Hi all, >>> >>> >>> >>> I tried to build a ssl bumping proxy with up level proxy, but client >>> >>> failed to connect like the following. >>> >>> >>> >>> The error: >>> >>> --- >>> >>> $ curl https://www.google.co.jp -vvvv -k >>> >>> * Rebuilt URL to: https://www.google.co.jp/ >>> >>> * Trying ::1... >>> >>> * Connected to localhost (::1) port 3128 (#0) >>> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443 >>> >>>> CONNECT www.google.co.jp:443 HTTP/1.1 >>> >>>> Host: www.google.co.jp:443 >>> >>>> User-Agent: curl/7.43.0 >>> >>>> Proxy-Connection: Keep-Alive >>> >>>> >>> >>> < HTTP/1.1 200 Connection established >>> >>> < >>> >>> * Proxy replied OK to CONNECT request >>> >>> * ALPN, offering http/1.1 >>> >>> * Cipher selection: >>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >>> >>> * successfully set certificate verify locations: >>> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt >>> >>> CApath: none >>> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22): >>> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >>> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443 >>> >>> * Closing connection 0 >>> >>> curl: (35) Unknown SSL protocol error in connection to >>> www.google.co.jp:443 >>> >>> --- >>> >>> >>> >>> My squid.conf: >>> >>> --- >>> >>> # default acls/configs are ignored >>> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only >>> >>> never_direct allow all >>> >>> ssl_bump peek all >>> >>> ssl_bump bump all >>> >>> http_port 3128 ssl-bump \ >>> >>> cert=/etc/squid/ssl/ca.crt \ >>> >>> key=/etc/squid/ssl/ca.key \ >>> >>> generate-host-certificates=on \ >>> >>> dynamic_cert_mem_cache_size=4MB >>> >>> --- >>> >>> >>> >>> From the cache_peer port, someone may notice that I'm using privoxy. >>> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, >>> >>> or I can't ever access some sites. >>> >>> >>> >>> Here is some of my experiments: >>> >>> 1) Remove "never_direct" >>> >>> Then ssl_bump works as expected, but all traffic doesn't goes through >>> >>> the SOCKS5 proxy. So a lot of sites I can't access. >>> >>> >>> >>> 2) Use local 8118 proxy >>> >>> That works fine without any problem, but SSL_dump is needed... >>> >>> So just prove privoxy are working. >>> >>> >>> >>> Any clue? >>> >>> >>> >>> Thanks >>> >>> _______________________________________________ >>> >>> squid-users mailing list >>> >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>>> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ >> xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC >> xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0 >> G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu >> Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh >> Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U= >> =Mt1T >> -----END PGP SIGNATURE----- >> _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
