RE: [squid-users] Squid and SSL interception (ssl-bump)

From: Heinrich Hirtzel <heinrichhirtzel99_at_hotmail.com>
Date: Thu, 1 Nov 2012 12:17:30 +0100

> You are missing the intercept flag on https_port. That is what tells
> Squid how to interpret the URL and TCP layer differences in the port 80
> and 443 syntax traffic.
I've already tried that (with 3.1.20, since 3.2.3 isn't working here at all), but the client web browser just get "net::ERR_TOO_MANY_REDIRECTS" (Google Chrome)

> what are all the compilation options from -v (curios)
> try the latest stable at:
> http://www.squid-cache.org/Versions/v3/3.2/squid-3.2.3.tar.bz2

$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.2.3-20121031-r11695
configure options:  '--enable-ssl' '--enable-ssl-crtd'

But 3.2.3 isn't working here at all (using the same config as for 3.1.20):

<timestamp> kid1| Intercept.cc(127) NetfilterInterception:  NF getsockopt(SO_ORIGINAL_DST) failed on local=10.0.1.1:3128 remote=10.0.1.1:51285 FD 10 flags=33: (92) Protocol not available
<timestamp>| BUG: Orphan Comm::Connection: local=10.0.1.1:3128 remote=10.0.1.1:51285 FD 10 flags=33
<timestamp>| NOTE: 1 Orphans since last started.

> what about: sslcrtd_program ?
Never heard about that option, I'm just following the Squid Wiki and can't find that option mentioned there:
http://wiki.squid-cache.org/Features/HTTPS
http://wiki.squid-cache.org/Features/SslBump

> if you need to intercept all https connections(seems to be your case) I
> would suggest you to try use the 3.3 beta.
According to the wiki ssl termination/interception should work since 3.1. Isn't that correct?

> For HTTPS interception ssl-crtd is better. server-first feature and
> certificate-mimic are even better.
> Squid-3.3 which has these is needed for anything close to useful HTTPS
> port 443 interception.
So SSL interception is not working for any version prior 3.3? Just asking because I've seen several post in the internet where ppl managed to get SSL interception running with 3.1 and 3.2. I'm totally confused... :-(

Thanks for your help so far!

----------------------------------------
> To: squid-users_at_squid-cache.org
> Date: Thu, 1 Nov 2012 11:59:46 +1300
> From: squid3_at_treenet.co.nz
> Subject: Re: [squid-users] Squid and SSL interception (ssl-bump)
>
> On 01.11.2012 04:33, Heinrich Hirtzel wrote:
> > Hello
> >
> > For a school project I'm trying to intercept SSL connections by using
> > Squid (client -> squid (transparent) -> server).
> > I'm running Squid 3.1.20 on Ubuntu server 12.10 (64 bit) using the
> > following configuration:
> >
> > *************************************
> > http_port 10.0.1.1.:3128 intercept
> > https_port 10.0.1.1.:443 ssl-bump
> > cert=/user/local/squid3/ssl_cert/myCA.pm
> >
> > acl our_networks src 10.0.1.0/24
> > http_access allow our_networks
> > forwarded_for off
> > ssl_bump allow all
> > sslproxy_cert_error allow all
> > sslproxy_flags DONT_VERIFY_PEER
> > *************************************
> >
> > I've
> > complied squid with SSL support (--enable-ssl). When starting Squid
> > I
> > do not get any error message. Also, proxying http traffic works
> > without
> > any problems.
> >
> > However, when I try to establish a HTTPS session
> > through squid, the client retrieves the SSL certificate from squid,
> > but
> > after accepting it the browser displays an error message from squid
> > that
> > the URL is invalid:
> >
> > "The following error was encountered while trying to retrieve the
> > URL: /.
> >
> > Invalid URL"
> >
> > In the Squid access.log I see the following line:
> > "<timestamp> 0 10.0.1.5 NONE/440 3503 GET / - NONE/- text/html"
> >
> > It
> > appears that squid does strips away the hostname / domain name of
> > the
> > URL the client tries to access, which causes the error message
> > mentioned
> > above.
> >
> > I've already spent hours in finding a solution for this
> > problem and went through dozens of tutorials, unfortunately I wasn't
> > able to find a solution so far.
> >
> > Any ideas what could be wrong?
>
> You are missing the intercept flag on https_port. That is what tells
> Squid how to interpret the URL and TCP layer differences in the port 80
> and 443 syntax traffic.
>
> Amos
                                               
Received on Thu Nov 01 2012 - 11:17:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Nov 02 2012 - 12:00:03 MDT