I have had my squid implementation for sslbump set up and working for some time now. I have had several people point out that my use of "sslproxyflags DONT_VERIFY_PEER" is dangerous from a security standpoint. When I was first trying to get sslbump working it would not work until I saw a suggestion somewhere that that sslproxyflag could be used. When I tried it, sslbump started working.
After several configurations adding the new peek+splice and peek+bump features, I still am not able to remove "sslproxyflags DONT_VERIFY_PEER". Whenever I try removing it, I get the error message that my browser is trying to connect to an unsecured site or "Untrusted connection" whenever it tries to connect to an https site.
Here is my squid.conf:
visible_hostname smoothwall# Uncomment the following to send debug info to /var/log/squid/cache.log#debug_options ALL,1 33,2 28,9# ACCESS CONTROLS# ----------------------------------------------------------------acl localhostgreen src 10.40.40.1acl localnetgreen src 10.40.40.0/24acl SWE_subnets src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"acl SSL_ports port 445 443 441 563acl Safe_ports port 80 # httpacl Safe_ports port 81 # smoothwall httpacl Safe_ports port 21 # ftpacl Safe_ports port 445 443 441 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT# TAG: http_access# ----------------------------------------------------------------http_access allow SWE_subnetshttp_access allow localhosthttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localnetgreenhttp_access allow CONNECT localnetgreenhttp_access allow localhostgreenhttp_access allow CONNECT localhostgreen# http_port and https_port#----------------------------------------------------------------------------# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.#----------------------------------------------------------------------------http_port 3127http_port 10.40.40.1:800 intercepthttps_port 10.40.40.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pemhttp_port 127.0.0.1:800 interceptsslproxy_session_cache_size 4 MBssl_bump none localhostgreensslproxy_options NO_SSLv2,NO_SSLv3,No_Compressionsslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULLacl tls_s1_connect at_step SslBump1acl tls_s2_client_hello at_step SslBump2acl tls_s3_server_hello at_step SslBump3acl tls_allowed_hsts ssl::server_name .akamaihd.netacl tls_server_is_bank ssl::server_name .wellsfargo.comacl tls_to_splice any-of tls_allowed_hsts tls_server_is_bankssl_bump peek tls_s1_connect allssl_bump splice tls_s2_client_hello tls_to_splicessl_bump stare tls_s2_client_hello allssl_bump bump tls_s3_server_hello allsslproxy_cert_error deny allsslproxy_flags DONT_VERIFY_PEERsslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MBsslcrtd_children 5http_access deny allcache_replacement_policy heap GDSFmemory_replacement_policy heap GDSF# CACHE OPTIONS# ----------------------------------------------------------------------------cache_effective_user squidcache_effective_group squidcache_swap_high 92cache_swap_low 90cache_access_log stdio:/var/log/squid/access.logcache_log /var/log/squid/cache.logcache_mem 64 MBcache_dir aufs /var/spool/squid/cache 1024 16 256maximum_object_size 33 MBminimum_object_size 0 KBrequest_body_max_size 0 KB# OTHER OPTIONS# ----------------------------------------------------------------------------#via offforwarded_for offpid_filename /var/run/squid.pidshutdown_lifetime 10 seconds#icp_port 3130half_closed_clients officap_enable onicap_send_client_ip onicap_send_client_username onicap_client_username_encode officap_client_username_header X-Authenticated-Usericap_preview_enable onicap_preview_size 1024icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=offadaptation_access service_avi_req allow allicap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=onadaptation_access service_avi_resp allow allumask 022logfile_rotate 0strip_query_terms offurl_rewrite_program /var/smoothwall/mods/ufdbguard/bin/ufdbgclient –l /var/log/squidurl_rewrite_children 64 startup=16 idle=4 concurrency=0url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni='%ssl::>sni' referer='%{Referer}>h'"
Does anyone have any suggestions how I can remove that proxy flag and still keep sslbump working?
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users