Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error

Mohammed al-jakry

 

 

 

Dears,

 

Thanks for adding me to the list…

 

 

I would like to install squid proxy with SSL bump, I am working on my Virtual lab and once everything is ok I will Test it on the real network. I already created I directory for the cert and generated the cert as below:

#Generate Private Key

openssl genrsa -out MSY.com.private 2048 

 

# Create Certificate Signing Request

openssl req -new -key MSY.com.private -out MSY.com.csr

 

# Sign Certificate

openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out

MSY.com.cert

# Generate certificate cache

/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

# Change ownership of the certificate cache

chown squid: /var/lib/ssl_db

then I fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:

# Squid listen Port

http_port 3128 

ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/MSY.com.private cert=/etc/squid/MSY.com.cert 

# SSL Bump Config

always_direct allow all 

ssl_bump server-first all 

sslproxy_cert_error deny all 

sslproxy_flags DONT_VERIFY_PEER 

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

and it’s not working with SSL bump configuration, it work only when I remove the ssl bump configuration but for sure without ssl certificate.

also i check the journalctl -xe and found the below error:

/etc/squid/squid.conf:3 unrecognized: 'ssl-bump'

any ideas ?

 

 

Regards


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error

Amos Jeffries
Administrator
On 15/04/2017 1:17 a.m., Mohammed al-jakry wrote:

>
>
>
> Dears,
>
> Thanks for adding me to the list…
>
>
> I would like to install squid proxy with SSL bump, I am working on my Virtual lab and once everything is ok I will Test it on the real network. I already created I directory for the cert and generated the cert as below:
> #Generate Private Key
> openssl genrsa -out MSY.com.private 2048  
>
> # Create Certificate Signing Request
> openssl req -new -key MSY.com.private -out MSY.com.csr
>
> # Sign Certificate
> openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out
> MSY.com.cert
> # Generate certificate cache
> /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
> # Change ownership of the certificate cache
> chown squid: /var/lib/ssl_db
> then I fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:
> # Squid listen Port
> http_port 3128  
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/MSY.com.private cert=/etc/squid/MSY.com.cert  
> # SSL Bump Config
> always_direct allow all  
> ssl_bump server-first all  

> sslproxy_cert_error deny all  
> sslproxy_flags DONT_VERIFY_PEER  

The above two lines are actively dangerous.


NOTE that "Just for testing" is not a good excuse either. They actively
hide TLS problems, testing will "work fine" and production use of the
same config fail with horrible results - or worse; production "work
perfectly" and the horrible results happening invisibly anyway.

When testing, let Squid tell you about errors. Resolve them in other
ways (ie properly) and then you wont need these setting in production
use either. :-)


> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
> and it’s not working with SSL bump configuration, it work only when I remove the ssl bump configuration but for sure without ssl certificate.
> also i check the journalctl -xe and found the below error:
> /etc/squid/squid.conf:3 unrecognized: 'ssl-bump'
> any ideas ?

Either the line(s) you mentioned above:

> http_port 3128
> ssl-bump generate-host-certificates=on ...

are actually two lines in your config file instead of an email line
wrapping mistake.

Or, the squid binary being run is not built with OpenSSL support.


Probably the former, but what is the output of the command "squid -v"
anyway ?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users