Re: [squid-users] Transparent HTTP Proxy and SSL-BUMP feature

From: Sean Boran <sean_at_boran.com>
Date: Fri, 2 Dec 2011 16:19:54 +0100

I'm not sure you can use sslbump in transparent mode.
I remember reading something to that effect.
There are also articles like this that might help:
https://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interception/

Sean

On 2 December 2011 13:02, Maret Ludovic <Ludovic.Maret_at_heig-vd.ch> wrote:
> Hi there !
>
> I want to configure a transparent proxy for HTTP and SSL. HTTP works
> pretty well but i'm stuck with SSL even if i use the ssl-bump feature.
>
> Right now, it almost works if i use 2 differents ports for the http_port
> & https_port :
>
> http_port 3129 transparent
> https_port 3130 ssl-bump cert=/etc/squid/ssl_cert/partproxy01-test.pem
> key=/etc/squid/ssl_cert/private/partproxy01-key-test.pem
>
> HTTP is ok, i get the warning about a probable man-in-the-middle attack
> when i tried to access a SSL web site. I did just add an exception. And
> i get an error : Invalid URL
>
> In the logs, i found :
>
> 1322820580.454 0 10.194.2.63 NONE/400 3625 GET /pki – NONE/- text/html
>
> When i tried to access https://www.switch.ch/pki
> Apparently, squid cut the URL and remove the host.domain part…
>
> When i tried to use CONNECT method and ssl-bump on http_port. I get an
> error in the browser “ssl_error_rx_record_too_long” or
> “ERR_SSL_PROTOCOL_ERROR”
>
> Any clues ?
>
> Many Thanks
>
> Ludovic
Received on Fri Dec 02 2011 - 15:20:02 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 02 2011 - 12:00:01 MST