Squid SSL-bump - Not working - No errors

Mohammed al-jakry <mohammedjk89@xxxxxxxxx> · Sun, 16 Apr 2017 16:47:03 +0300

Dears,

I am setting the
SSL-bump for squid 3.5 on CentOS 7, I already generated ssl certificate with
the below commands:

OPENSSL=/usr/bin/openssl

SSLDIR=/etc/mydlp/ssl

mkdir -p $SSLDIR || exit 1

rm -rf $SSLDIR/*

[ -e $SSLDIR/private.pem ] || $OPENSSL genrsa
4096 > $SSLDIR/private.pem

[ -e $SSLDIR/public.pem ] || (echo -e
"TR\nAnkara\nTechnopolis\nMyDLP\nMyDLP\n*\nsupport@xxxxxxxxx\n"|
$OPENSSL req -new -x509 -days 3650 -key $SSLDIR/private.pem -out
$SSLDIR/public.pem)

[ -e $SSLDIR/user.der ] || $OPENSSL x509 -in
$SSLDIR/public.pem -outform DER -out $SSLDIR/user.der

In addition,
below you can find snippet from squid.conf file:

http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem

always_direct allow all

ssl_bump allow all

sslproxy_cert_error allow all

# Or may be deny all according to your company policy

# sslproxy_cert_error deny all

sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db
-M 4MB

sslcrtd_children 5

In addition, I added user.der file in the certificate authority for the
user machine. The problem that it’s not working. Moreover, Squid service
restart without any issues. Also, please find the attached result for the squid
configuration test.

Appreciate your assistant.

Mohammed M AlJakri
[root@localhost ]# squid -k parse
2017/04/17 05:15:29| Startup: Initializing Authentication Schemes ...
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'basic'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'digest'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'negotiate'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'ntlm'
2017/04/17 05:15:29| Startup: Initialized Authentication.
2017/04/17 05:15:29| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2017/04/17 05:15:29| Processing: acl localnet src 192.168.10.0/24       # RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src 192.168.1.0/24        # RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2017/04/17 05:15:29| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2017/04/17 05:15:29| Processing: acl SSL_ports port 443
2017/04/17 05:15:29| Processing: acl Safe_ports port 80         # http
2017/04/17 05:15:29| Processing: acl Safe_ports port 21         # ftp
2017/04/17 05:15:29| Processing: acl Safe_ports port 443                # https
2017/04/17 05:15:29| Processing: acl Safe_ports port 70         # gopher
2017/04/17 05:15:29| Processing: acl Safe_ports port 210                # wais
2017/04/17 05:15:29| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2017/04/17 05:15:29| Processing: acl Safe_ports port 280                # http-mgmt
2017/04/17 05:15:29| Processing: acl Safe_ports port 488                # gss-http
2017/04/17 05:15:29| Processing: acl Safe_ports port 591                # filemaker
2017/04/17 05:15:29| Processing: acl Safe_ports port 777                # multiling http
2017/04/17 05:15:29| Processing: acl CONNECT method CONNECT
2017/04/17 05:15:29| Processing: http_access deny !Safe_ports
2017/04/17 05:15:29| Processing: http_access deny CONNECT !SSL_ports
2017/04/17 05:15:29| Processing: http_access allow localhost manager
2017/04/17 05:15:29| Processing: http_access deny manager
2017/04/17 05:15:29| Processing: http_access allow localnet
2017/04/17 05:15:29| Processing: http_access allow localhost
2017/04/17 05:15:29| Processing: http_access allow all
2017/04/17 05:15:29| Processing: http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem
2017/04/17 05:15:29| Processing: always_direct allow all
2017/04/17 05:15:29| Processing: ssl_bump allow all
2017/04/17 05:15:29| SECURITY NOTICE: auto-converting deprecated "ssl_bump allow <acl>" to "ssl_bump client-first <acl>" which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules.
2017/04/17 05:15:29| Processing: sslproxy_cert_error allow all
2017/04/17 05:15:29| Processing: sslproxy_flags DONT_VERIFY_PEER
2017/04/17 05:15:29| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
2017/04/17 05:15:29| Processing: sslcrtd_children 5
2017/04/17 05:15:29| Processing: coredump_dir /var/spool/squid
2017/04/17 05:15:29| Processing: refresh_pattern ^ftp:          1440    20%     10080
2017/04/17 05:15:29| Processing: refresh_pattern ^gopher:       1440    0%      1440
2017/04/17 05:15:29| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2017/04/17 05:15:29| Processing: refresh_pattern .              0       20%     4320
2017/04/17 05:15:29| Initializing https proxy context
2017/04/17 05:15:29| Initializing http_port [::]:3128 SSL context
2017/04/17 05:15:29| Using certificate in /etc/mydlp/ssl/public.pem
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users