On 5/09/18 4:44 AM, turgut kalfaoğlu wrote: > Hello there. I have a transparent squid at my home to speed up the > browsing by caching stuff. And it works well for HTTP. > > For HTTPS, I was only able to get it to "peek" and I'd like to able to > bump the connections. > > I installed the server certificate on the client, but still, the browser > (firefox) keeps complaining: > > Your connection is not secure > The owner of www.facebook.com has configured their website improperly. > To protect your information from being stolen, Firefox has not connected > to this website. > This site uses HTTP Strict Transport Security (HSTS) to specify that > Firefox may only connect to it securely. As a result, it is not possible > to add an exception for this certificate. Squid removes HSTS from any network traffic it handles (except splice'd traffic). So clearing the browser info and ensuring that the other non-HTTP protocols Browser like to use these days (eg QUIC, SPDY, WebSockets, HTTP/2) are not happening should resolve this issue. If you do not (or cannot) clear the browser info the HSTS should only last until the TTL it last mentioned in traffic expires - but that can be a very long timeout. > > Here is what I have: > # > # serverIsBank is a list of domains that are banks essentially. They > seem more picky. > # > ssl_bump splice serverIsBank > ssl_bump peek all > # ssl_bump bump all # this does not work, it gives the error above.. Try: # splice as soon as detected ssl_bump splice serverIsBank # step 1 - peek to get TLS SNI acl step1 at_step SslBump1 ssl_bump peek step1 # step 2 - stare to get server cert details for bump ssl_bump stare all # step 3 - terminate if splice failed, bump everything else ssl_bump terminate serverIsBank ssl_bump bump all > > https_port 3129 intercept ssl-bump \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \ > cert=/etc/squid/ssl_cert/tk2ca.pem > key=/etc/squid/ssl_cert/tk2ca.pem \ When cert= and key= are in the same file you do not need to specify key=. > sslflags=NO_SESSION_REUSE > tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt That ca-bundle.crt is the global trusted CA right? If yes, you do not need to manually configure it. The system default CA / global Trusted CA are used by default on MITM outgoing connections. > sslproxy_cert_adapt setCommonName ssl::certDomainMismatch > sslproxy_cert_error allow all Remove the above line. It prevents you being told about important problems. Instead investigate errors that come up, and either fix or ignore on an individual basis. Some errors are simple and easily avoided, others depend on your policy about whether the client should be allowed to do the operation. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
