[squid-users] Freebsd based squid MITM

From: Mike Perri <perrimd_at_copesd.org>
Date: Fri, 18 May 2012 11:18:00 -0400 (EDT)

I have found that the ssl_bump/sslcrtd does not work as expected on freebsd when used for MITM intercept ssl proxy. I am using the following squid config with a rdr in pf firewall:

http_port 3128 intercept connection-auth=off ssl-bump cert=/local/certs/proxy.local.pem key=/local/certs/proxy.local.pem

# Strips https and sends request as http to server, but keeps https to client
https_port 3129 intercept connection-auth=off ssl-bump cert=/local/certs/proxy.local.pem key=/local/certs/proxy.local.pem

always_direct allow all
follow_x_forwarded_for allow all
forwarded_for on

acl localhost src 127.0.0.1/32 ::1
ssl_bump deny localhost
ssl_bump allow all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /local/libexec/squid/ssl_crtd -s /local/squid/ssl_db -M 4MB
sslcrtd_children 5

What happens is the https connect is sent to clients from squid and the ssl is stripped on the proxy request that goes out. It basically strips ssl but makes it appear that the client is connected via ssl... This could be a bad thing :)

Maybe someone can take a look at this and explain why sslcrtd/ssl_bump does not create an ssl proxy request but instead just goes http ?

Thanks. Mike
Received on Fri May 18 2012 - 15:18:14 MDT

This archive was generated by hypermail 2.2.0 : Fri May 18 2012 - 12:00:03 MDT