Search squid archive

Re: SSLBump just not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Thu, Aug 4, 2016 at 10:20 AM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 08/03/2016 08:45 PM, JR Dalrymple wrote:

> To be brutally honest the whole concept is still a bit lost on me

[rant]Admitting one's limitations is often the most difficult first
step, but please do not stop here! Suggestions for where to go next: Ask
good questions, do not accept answers you do not fully understand,
provide excellent debugging info, and carefully update Squid wiki as you
master the concept. Repeat as needed.

IMHO, without solid SslBump understanding and providing good debugging,
you confine yourself to the endless copy-pasting of random config
snippets that usually do something you do not want and do not do
something you do want. Your ability to troubleshoot problems (and there
will be problems!) approaches zero in this case.

Most Squid-related concepts are easy and can be brute-forced by
trial-and-error. SslBump is different.[/rant]


> I'm still having issues I'm afraid - albeit different issues. My problem
> now reads a lot like this guys issue:
> https://www.mail-archive.com/misc@xxxxxxxxxxx/msg144692.html

That email thread does not have enough info to know what the problem
really is and contains a seemingly bogus (or at least very poorly
detailed) solution. In other words, this is one of the many SslBump
threads you may be better off ignoring for now.


> My browser just times out and no
> auto-generated certificate is ever generated.

> ssl_bump stare all
> ssl_bump bump all

Sounds like a good start to me, provided you _understand_ what these
rules do and why this simple configuration is equivalent to the more
complex one!


> I've
> turned off the debugging as I wasn't getting anything terribly useful
> out of it.

That's fine if you want folks to keep guessing what your problem is. If
you want more efficient help, use the latest Squid, isolate the problem
to a single HTTPS transaction, and share the corresponding ALL,9 log:

http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction


HTH,

Alex.


Thanks for the encouragement Alex,

I was doing single transaction debugging all along as this is currently configured in a lab with a single client.

I've gotten it working at this point, but not due to diligent debugging I'm afraid - more just a lucky shot in the dark. I reconfigured my system and lab network to perform the bump on intercepted traffic. It *just works*. I honestly don't care to backtrack and debug direct proxy requests as it wasn't part of my planned end-state anyway.

For posterity's sake, here are the relevant parts of my working configuration:

/etc/pf.conf:
pass in proto tcp to any port 80 divert-to 127.0.0.1 port 3128
pass in proto tcp to any port 443 divert-to 127.0.0.1 port 3129

squid.conf:
http_port 127.0.0.1:3128 intercept
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem

# /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--enable-icmp' '--enable-delay-pools' '--enable-pf-transparent' '--enable-ssl-crtd' '--enable-auth' '--with-openssl' --enable-ltdl-convenience

# uname -a
OpenBSD router.example.local 5.9 GENERIC#1761 amd64

Thanks again for all your help.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux