Brad Barnett wrote:
>
> Hey all,
>
> I've compiled squid-3.HEAD-20080728.tar.gz, and all seems to be working
> fine in a general respect.
>
> However, I can't seem to get sslBump working. I have squid setup as a
> transparent proxy, and that part is working fine. However, when I add
> the following lines, and use iptables to redirect port 443 traffic to
> squid, generally squid just sits, stalled, forever.
IIRC, sslBump was not designed to allow interception of port 443.
What it does is decrypt HTTPS sent as CONNECT requests through the proxy.
There was some discussion about ways to hack it up to do the
interception. I think there may have been a little more coding needed
for that. You will have to google the archives and find the original
threads on this.
Amos
>
> I turned up the debug log, but didn't even see any cogent information
> indicating that sslbump, or any ssl traffic was being attempted.
>
> Any ideas? Note, while I show 'http_port 3129' below, I also tried using
> port 3128, as per the example on the wiki.
>
> Thanks
>
>
> # configure the HTTP port to bump CONNECT requests
> http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
> key=/usr/local/squid/etc/server.key
>
> # avoid bumping requests to sites that Squid cannot proxy well
> acl broken_sites dstdomain .webax.com
> ssl_bump deny broken_sites
> ssl_bump allow all
>
> # ignore certain certificate errors or
> # ignore errors with certain cites (very dangerous!)
> acl TrustedName url_regex ^https://weserve.badcerts.com/
> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error allow BogusError
> sslproxy_cert_error deny all
Amos
-- Please use Squid 2.7.STABLE3 or 3.0.STABLE8Received on Tue Jul 29 2008 - 02:03:33 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 29 2008 - 12:00:04 MDT