Re: [squid-users] squid behind another squid with sslbump from Amos Jeffries on 2013-06-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 20 Jun 2013 00:46:43 +1200

On 19/06/2013 9:13 p.m., marwan wrote:
> Hi,
>
> I have a problem with the sslbump option, can someone help me please?
>
> I explain it:
>
> client <-> child proxy <-> parent proxy <-> server
>
> I have established a proxy behind another proxy squid. If I try to use the
> parent proxy alone, it operate correctly. The parent proxy use sslbump with
> this configuration:
> --------------------------------------
> http_port 3128 ssl-bump cert=/usr/local/squid/ssl/squid.crt.ok
> key=/usr/local/squid/ssl/squid.key.ok
> clientca=/home/mhalloumi/Bureau/ca_cert.pem
>
> always_direct allow all
> ssl_bump allow all

Please upgrade to 3.3 if you are using ssl-bump. That series has much
safer SSL handling.

> So if I try to send with wget a request to a server with this command (wget
> https://www.cic.fr/fr/ --no-check-certificate --certificate user_cert.pem)
> (I have configured wget to send requests to the child proxy) the child proxy
> doesn't use ssl-bump with its parameters but just forward request to the
> parent proxy.
>
> So I want to know if:
>
> it is possible to use sslbump with this proxy behind another proxy using
> sslbump?

Possible, yes. Reasonable no.

When *you* control both ends of the SSL connection (child and parent
proxies) there is absolutely zero reason to hijack and force the
decryption. You can just decrypt using regular SSL sender/receiver
functionality. You can even use SSL cert validation of both server and
client certs to ensure nobody else intercepts your SSL connection
between the proxies.

ssl-bump is *only* useful to hijack and decrypt *somebody elses* SSL
connections. Either decrypting clients CONNECT requests which are
tunneling HTTPS over regular HTTP connections, or decrypting clients
port 443 traffic.

> How can I use the SSL parameter from the command "cache_peer" (for example
> sslcert, sslkey or sslversion)?
>
> Why the sslbump parameters of the child proxy don't work in my case? (I want
> this parameter for the ssl context server of the parent proxy).

Because the parent is expecting to receive plain-HTTP from the child.
The child is sending SSL traffic to the parent.

Use an https_port with a normal server certificate (nothing special like
ssl-bump) on the parent proxy.

Amos
Received on Wed Jun 19 2013 - 12:46:57 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 19 2013 - 12:00:04 MDT