Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error
Thanks for adding me to the list…
I would like to install squid proxy with SSL bump, I am working on my Virtual lab and once everything is ok I will Test it on the real network. I already created I directory for the cert and generated the cert as below:
Re: Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error
On 15/04/2017 1:17 a.m., Mohammed al-jakry wrote:
> Thanks for adding me to the list…
> I would like to install squid proxy with SSL bump, I am working on my Virtual lab and once everything is ok I will Test it on the real network. I already created I directory for the cert and generated the cert as below:
> #Generate Private Key
> openssl genrsa -out MSY.com.private 2048
> # Create Certificate Signing Request
> openssl req -new -key MSY.com.private -out MSY.com.csr
> # Sign Certificate
> openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out
> # Generate certificate cache
> /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
> # Change ownership of the certificate cache
> chown squid: /var/lib/ssl_db
> then I fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:
> # Squid listen Port
> http_port 3128
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/MSY.com.private cert=/etc/squid/MSY.com.cert
> # SSL Bump Config
> always_direct allow all
> ssl_bump server-first all
> sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
The above two lines are actively dangerous.
NOTE that "Just for testing" is not a good excuse either. They actively
hide TLS problems, testing will "work fine" and production use of the
same config fail with horrible results - or worse; production "work
perfectly" and the horrible results happening invisibly anyway.
When testing, let Squid tell you about errors. Resolve them in other
ways (ie properly) and then you wont need these setting in production
use either. :-)
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
> and it’s not working with SSL bump configuration, it work only when I remove the ssl bump configuration but for sure without ssl certificate.
> also i check the journalctl -xe and found the below error:
> /etc/squid/squid.conf:3 unrecognized: 'ssl-bump'
> any ideas ?