On 13/11/2015 1:04 a.m., Steve Hill wrote: > On 12/11/15 09:04, Eugene M. Zheganin wrote: > >> I decided to intercept the HTTPS traffic on my production squids from >> proxy-unware clients to be able to tell them there's a proxy and they >> should configure one. >> So I'm doing it like (the process of forwarding using FreeBSD pf is not >> shown here): >> >> ===Cut=== >> acl unauthorized proxy_auth stringthatwillnevermatch >> acl step1 at_step sslBump1 >> >> https_port 127.0.0.1:3131 intercept ssl-bump >> cert=/usr/local/etc/squid/certs/squid.cert.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> dhparams=/usr/local/etc/squid/certs/dhparam.pem >> https_port [::1]:3131 intercept ssl-bump >> cert=/usr/local/etc/squid/certs/squid.cert.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> dhparams=/usr/local/etc/squid/certs/dhparam.pem >> >> ssl_bump peek step1 >> ssl_bump bump unauthorized >> ssl_bump splice all >> ===Cut=== >> >> Almost everything works, except that squid for some reason is generating >> certificates in this case for IP addresses, not names, so the browser >> shows a warning abount certificate being valid only for IP, and not name. > > proxy_auth won't work on intercepted traffic and will therefore always > return false, so as far as I can see you're always going to peek and > then splice. i.e. you're never going to bump, so squid should never be > generating a forged certificate. > > You say that Squid _is_ generating a forged certificate, so something > else is going on to cause it to do that. My first guess is that Squid > is generating some kind of error page due to some http_access rules > which you haven't listed, and is therefore bumping. > > Two possibilities spring to mind for the certificate being for the IP > address rather than for the name: > 1. The browser isn't bothering to include an SNI in the SSL handshake > (use wireshark to confirm). In this case, Squid has no way to know what > name to stick in the cert, so will just use the IP instead. > 2. The bumping is happening in step 1 instead of step 2 for some reason. > See: http://bugs.squid-cache.org/show_bug.cgi?id=4327 > Use "debug_options ALL,0 33,5" to see what the ssl_bump access checks and related parts are doing. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
