Quantcast

Squid SSL-bump - Not working - No errors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid SSL-bump - Not working - No errors

Mohammed al-jakry

Dears,

 

I am setting the SSL-bump for squid 3.5 on CentOS 7, I already generated ssl certificate with the below commands:

 

OPENSSL=/usr/bin/openssl

SSLDIR=/etc/mydlp/ssl

mkdir -p $SSLDIR || exit 1

rm -rf $SSLDIR/*

[ -e $SSLDIR/private.pem ] || $OPENSSL genrsa 4096 > $SSLDIR/private.pem

[ -e $SSLDIR/public.pem ] || (echo -e "TR\nAnkara\nTechnopolis\nMyDLP\nMyDLP\n*\[hidden email]\n"| $OPENSSL req -new -x509 -days 3650 -key $SSLDIR/private.pem -out $SSLDIR/public.pem)

[ -e $SSLDIR/user.der ] || $OPENSSL x509 -in $SSLDIR/public.pem -outform DER -out $SSLDIR/user.der

 

In addition, below you can find snippet from squid.conf file:

 

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
# Or may be deny all according to your company policy
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

 

In addition, I added user.der file in the certificate authority for the user machine. The problem that it’s not working. Moreover, Squid service restart without any issues. Also, please find the attached result for the squid configuration test.

 

Appreciate your assistant.

 

Mohammed M AlJakri


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

squid -k parse.txt (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid SSL-bump - Not working - No errors

Amos Jeffries
Administrator
The first problem is that you are using a broken config from Squid-3.1
in a version 3.5 proxy.

Please reset your squid.conf and set it up as described by
<http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...