How to configure https_port ssl-bump ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to configure https_port ssl-bump ?

赵 俊
Hello,I configured  https_port in squid.conf . However  when I access https websites using Firefox,it shows   "Your connection is not secure" . 

The error like this: 
www.amazon.com used an invalid security certificate. 
This certificate is valid for 23.13.186.212 only. 
Error code: SSL_ERROR_BAD_CERT_DOMAIN

My CA produced by openssl is a Self-signed certificate.

Here is my squid.conf:

https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3

ssl_bump bump all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to configure https_port ssl-bump ?

Amos Jeffries
Administrator
On 21/11/17 14:31, 赵 俊 wrote:

> Hello,I configured  https_port in squid.conf . However  when I access
> https websites using Firefox,it shows   "Your connection is not secure" .
>
> The error like this:
> www.amazon.com <http://www.amazon.com> used an invalid security
> certificate.
> This certificate is valid for 23.13.186.212 only.
> Error code: SSL_ERROR_BAD_CERT_DOMAIN
>
> My CA produced by openssl is a Self-signed certificate.
>

There are two poitns of brokenness here.

Firstly, has your Firefox been configured with the DER certificate of
that CA so that it trusts your CA?

Without that Firefox will not trust *any* certs generated by your Squid.


> Here is my squid.conf:
>
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem
>
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
>
> ssl_bump bump all
>

Secondly, the above configures Squid to auto-generate the server
certificate with zero details from the real server AND zero details from
the client TLS handshake.

All Squid has to work with at that point is the raw-IP which the client
used to connect the TCP connection underneath everything. So of course
that is what the cert will be bound to.


Have you read this page to learn the bare basics about what is going on?
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>
I know the page looks long, but that is the minimal details you need to
know about TLS and the Squid SSL-Bump features.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users