Search squid archive

Re: SSLBump just not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, Aug 3, 2016 at 9:14 AM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 08/02/2016 09:53 PM, Amos Jeffries wrote:

> To do bumping with server certificate mimic you need the 'bump' action
> to occur at #3.

Thanks for the clarification. I probably read that 100 times in the documentation but it didn't really sink in until today how that all works. To be brutally honest the whole concept is still a bit lost on me, but I can make sense that you have to perform the SNI CONNECT bits before you can actually bump. My apologies for the earlier misunderstanding...
 
>
> Like:
>  acl step1 at_step SslBump1
>  acl step2 at_step SslBump2
>  ssl_bump peek step1
>  ssl_bump stare step2
>  ssl_bump bump all
>
> (or maybe stare and both non-3 steps. I'm not 100% certain there.).


Yes, all of the above can be polished and simplified to become just two
lines:

  ssl_bump stare all
  ssl_bump bump all

I'm still having issues I'm afraid - albeit different issues. My problem now reads a lot like this guys issue:

https://www.mail-archive.com/misc@xxxxxxxxxxx/msg144692.html

I did however perform the step he did to rectify his issue and it's not having any effect for me I'm afraid. My browser just times out and no auto-generated certificate is ever generated. I've combed through a number of configurations on the Internet at this point and I'm not seeing how mine is terribly different from anyone else's who is having success. For the sake of completeness I'll post my configuration as it stands today:

 # grep -v ^[\s]*$ /usr/local/squid/etc/squid.conf | grep -v ^#
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
ssl_bump stare all
ssl_bump bump all
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/gzgtgCA.pem
cache_dir ufs /var/cache/squid 4000 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_sign signTrusted
cache_effective_user squid
cache_effective_group squid
access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 10


I've tried various different combinations of ssl_bump directives including adding the step_1 and step_2 ACLs as suggested by Amos (verbatim), and additionally (again verbatim) the configuration outlined on the squid-cache.org site, but at this point the only behavior I'm getting out of the system is that which I've described. I have also tried both peeking and staring, as I understand the use case for my environment stare would be most appropriate, however neither seem to be working for me at this point so it's moot. I've turned off the debugging as I wasn't getting anything terribly useful out of it. I could see CONNECTs to the https sites, and mentions that they qualified for stare or bump, but never did it seem to actually happen. If anyone has anything that I should grep for in debug logs to maybe help I'd be happy to oblige. Perhaps I should just abandon OpenBSD and move to a more common flavor of *nix - although I will miss PF.

Thanks for the help.
 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux