OK, it seems that CONNECT+SSL/TLS is really not supported yet... So I use proxychains and allow_direct without cache_peer. And things works: ------ * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=www.google.com * start date: 2015-07-06 07:17:41 GMT * expire date: 2018-04-25 07:17:41 GMT * issuer: C=XX; ST=XXXXX; L=XXXXX; O=XXXXX; OU=Linux; CN=Splice SSL; emailAddress=XXXXX@XXXXX * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. ------ Thanks everyone for the help. 2015-07-07 9:12 GMT+08:00 adam900710 <adam900710@xxxxxxxxx>: > Some extra clue: > > Cache log says: > ------ > 2015/07/07 08:55:54 kid1| Accepting SSL bumped HTTP Socket connections > at local=[::]:3128 remote=[::] FD 23 flags=9 > 2015/07/07 08:55:55 kid1| storeLateRelease: released 0 objects > 2015/07/07 08:55:57 kid1| assertion failed: PeerConnector.cc:116: > "peer->use_ssl" > ------ > > So I tried adding "ssl" at the end of "cache_peer" directive. > And it still fails but with different error, squid error page now. > > Google also found some mail archive from Amos, which implies that, > squid doesn't yet support > CONNECT + SSL/TLS cache_peer. > http://squid-web-proxy-cache.1019090.n4.nabble.com/Behind-enemy-lines-squid-behind-proxy-td4668223.html > > If so, I think I'd better seek other solutions like use direct_allow > with tsocks/proxychains... > > Thanks. > > 2015-07-07 8:54 GMT+08:00 adam900710 <adam900710@xxxxxxxxx>: >> Tried your config in my environment. >> Although curl can get to the sites through privoxy, just like the log says: >> ------ >> 1436230195.213 432 ::1 TCP_TUNNEL/200 4146 CONNECT >> www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 - >> ------ >> >> But the certificate got is still the original one, not the fake one: >> ------ >> * Server certificate: >> * subject: C=US; ST=California; L=Mountain View; O=Google Inc; >> CN=www.google.com >> * start date: 2015-06-18 08:52:56 GMT >> * expire date: 2015-09-16 00:00:00 GMT >> * issuer: C=US; O=Google Inc; CN=Google Internet Authority G2 >> * SSL certificate verify ok. >> ------ >> >> Does it works only in 3.4? >> Anyway, I'll try to downgrade squid and try it again. >> >> Thanks >> >> 2015-07-06 22:23 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> I use 3.4 version. Yes, this is old directives. >>> >>> 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception >>> environment. >>> >>> 06.07.15 20:21, adam900710 пишет: >>>> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >>>>> >>>> My own solution in conjunction with Tor + Privoxy looks like this (Note: >>>> for Squid 3.4.13): >>>> >>>> # Tor acl >>>> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" >>>> >>>> # SSL bump rules >>>> sslproxy_cert_error allow all >>>> ssl_bump none localhost >>>> ssl_bump none url_nobump >>>> ssl_bump none dst_nobump >>>> ssl_bump server-first net_bump >>>> > This seems to be old config directive. >>>> > New corresponding one shoud be "ssl_bump bump net_bump" >>>> >>>> > And, no "peek" one? Or that's the problem? >>>> >>>> > Thanks. >>>> >>>> # Privoxy+Tor access rules >>>> never_direct allow tor_url >>>> always_direct deny tor_url >>>> always_direct allow all >>>> >>>> # And finally deny all other access to this proxy >>>> http_access deny all >>>> >>>> # Local Privoxy is cache parent >>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default >>>> >>>> cache_peer_access 127.0.0.1 allow tor_url >>>> cache_peer_access 127.0.0.1 deny all >>>> >>>> http_port 3127 >>>> http_port 3128 intercept >>>> https_port 3129 intercept ssl-bump generate-host-certificates=on >>>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt >>>> key=/usr/local/squid/etc/rootCA.key >>>> > I also tried such config. >>>> > With such "http_port" and "http_port intercept" with ssl-bump at last. >>>> > Although curl works under test, the certificate is not the fake one. >>>> > (Issuer is not my fake one) >>>> > So I consider the ssl-bump not working in that case. >>>> >>>> > I'd like to reply when I set it up later to test. >>>> >>>> > Thanks >>>> >>>> sslproxy_capath /etc/opt/csw/ssl/certs >>>> sslproxy_options NO_SSLv2 NO_SSLv3 >>>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M >>>> 4MB >>>> >>>> Generally, >>>> >>>> works like charm. >>>> >>>> 06.07.15 15:22, adam900710 пишет: >>>> >>> Hi all, >>>> >>> >>>> >>> I tried to build a ssl bumping proxy with up level proxy, but client >>>> >>> failed to connect like the following. >>>> >>> >>>> >>> The error: >>>> >>> --- >>>> >>> $ curl https://www.google.co.jp -vvvv -k >>>> >>> * Rebuilt URL to: https://www.google.co.jp/ >>>> >>> * Trying ::1... >>>> >>> * Connected to localhost (::1) port 3128 (#0) >>>> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443 >>>> >>>> CONNECT www.google.co.jp:443 HTTP/1.1 >>>> >>>> Host: www.google.co.jp:443 >>>> >>>> User-Agent: curl/7.43.0 >>>> >>>> Proxy-Connection: Keep-Alive >>>> >>>> >>>> >>> < HTTP/1.1 200 Connection established >>>> >>> < >>>> >>> * Proxy replied OK to CONNECT request >>>> >>> * ALPN, offering http/1.1 >>>> >>> * Cipher selection: >>>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >>>> >>> * successfully set certificate verify locations: >>>> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt >>>> >>> CApath: none >>>> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22): >>>> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >>>> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443 >>>> >>> * Closing connection 0 >>>> >>> curl: (35) Unknown SSL protocol error in connection to >>>> www.google.co.jp:443 >>>> >>> --- >>>> >>> >>>> >>> My squid.conf: >>>> >>> --- >>>> >>> # default acls/configs are ignored >>>> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only >>>> >>> never_direct allow all >>>> >>> ssl_bump peek all >>>> >>> ssl_bump bump all >>>> >>> http_port 3128 ssl-bump \ >>>> >>> cert=/etc/squid/ssl/ca.crt \ >>>> >>> key=/etc/squid/ssl/ca.key \ >>>> >>> generate-host-certificates=on \ >>>> >>> dynamic_cert_mem_cache_size=4MB >>>> >>> --- >>>> >>> >>>> >>> From the cache_peer port, someone may notice that I'm using privoxy. >>>> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, >>>> >>> or I can't ever access some sites. >>>> >>> >>>> >>> Here is some of my experiments: >>>> >>> 1) Remove "never_direct" >>>> >>> Then ssl_bump works as expected, but all traffic doesn't goes through >>>> >>> the SOCKS5 proxy. So a lot of sites I can't access. >>>> >>> >>>> >>> 2) Use local 8118 proxy >>>> >>> That works fine without any problem, but SSL_dump is needed... >>>> >>> So just prove privoxy are working. >>>> >>> >>>> >>> Any clue? >>>> >>> >>>> >>> Thanks >>>> >>> _______________________________________________ >>>> >>> squid-users mailing list >>>> >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> >>> http://lists.squid-cache.org/listinfo/squid-users >>>> >>>>> >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> >>> iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ >>> xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC >>> xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0 >>> G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu >>> Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh >>> Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U= >>> =Mt1T >>> -----END PGP SIGNATURE----- >>> _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
