RE: [squid-users] Squid and SSL interception (ssl-bump)

From: Heinrich Hirtzel <heinrichhirtzel99_at_hotmail.com>
Date: Wed, 31 Oct 2012 17:43:20 +0100

I've just updated to the most recent squid version (compiled with --enable-ssl *and* --enable-ssl-crtd):
./squid -v
Squid Cache: Version 3.2.3-20121031-r11695

I can start squid without any errors, but when I try to connect to the daemon the connection gets terminated immediately (using the same cfg as before):

$ telnet 10.0.1.1 3128
Trying 10.0.1.1...
Connected to 10.0.1.1.
Escape character is '^]'.
Connection closed by foreign host.

While cache.log shows:
<timestamp> kid1| BUG: Orphan Comm::Connection: local=10.0.1.1:3128 remote=10.0.1.1:51288 FD 10 flags=33
<timestamp> kid1| NOTE: 1 Orphan since last started

Unfortunately I have no idea what Squid tries to tell me.... In fact HTTP and HTTPS are not working now :-(

Ideas?

----------------------------------------
> From: heinrichhirtzel99_at_hotmail.com
> To: squid-users_at_squid-cache.org
> Date: Wed, 31 Oct 2012 16:49:37 +0100
> Subject: RE: [squid-users] Squid and SSL interception (ssl-bump)
>
>
> Hi Eliezer
>
> > what iptables rules have you used?
> > also you better use squid 3.2 for ssl-bump.
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 81 -j REDIRECT --to-port 3128
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 443
>
> > also you better use squid 3.2 for ssl-bump.
> K, will try that. Stay tuned :-)
>
> > take a look at:
> > http://wiki.squid-cache.org/Features/SslBump
> > and
> > http://wiki.squid-cache.org/Features/DynamicSslCert
>
> I've read through them for at least 10 times (I'm not kidding) and tried various different configurations without finding any solution. Maybe I simply missed something :-/
>
> Do I need to compile squid with '--enable-ssl-crtd' or is '--enable-ssl' enough?
>
> Regards,
> Heinrich
>
> ----------------------------------------
> > Date: Wed, 31 Oct 2012 17:40:38 +0200
> > From: eliezer_at_ngtech.co.il
> > To: squid-users_at_squid-cache.org
> > Subject: Re: [squid-users] Squid and SSL interception (ssl-bump)
> >
> > On 10/31/2012 5:33 PM, Heinrich Hirtzel wrote:
> > > Hello
> > >
> > > For a school project I'm trying to intercept SSL connections by using Squid (client -> squid (transparent) -> server).
> > > I'm running Squid 3.1.20 on Ubuntu server 12.10 (64 bit) using the following configuration:
> > >
> > > *************************************
> > > http_port 10.0.1.1.:3128 intercept
> > > https_port 10.0.1.1.:443 ssl-bump cert=/user/local/squid3/ssl_cert/myCA.pm
> > If i remeber right you shoudl use http and not https
> >
> > >
> > > acl our_networks src 10.0.1.0/24
> > > http_access allow our_networks
> > > forwarded_for off
> > > ssl_bump allow all
> > > sslproxy_cert_error allow all
> > > sslproxy_flags DONT_VERIFY_PEER
> > > *************************************
> > what iptables rules have you used?
> > also you better use squid 3.2 for ssl-bump.
> >
> > what were you reading about ssl-bump?
> >
> > take a look at:
> > http://wiki.squid-cache.org/Features/SslBump
> > and
> > http://wiki.squid-cache.org/Features/DynamicSslCert
> >
> > Regards,
> > Eliezer
> >
> > --
> > Eliezer Croitoru
> > https://www1.ngtech.co.il
> > IT consulting for Nonprofit organizations
> > eliezer <at> ngtech.co.il
>
                                               
Received on Wed Oct 31 2012 - 16:43:27 MDT

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 12:00:05 MDT