Re: [squid-users] Capturing HTTPS traffic

From: PS <packetstack_at_gmail.com>
Date: Fri, 3 Feb 2012 13:55:51 -0500

Could you please be a little more specific? Is there something else called ssldump that I am supposed to use?

This is what my config looks like. I am currently using ssl_bump.

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/squid.pem
always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /usr/local/squid/var/logs/access.log squid

Thanks for the quick response!

On Feb 3, 2012, at 1:20 PM, Alfonso Alejandro Reyes Jimenez wrote:

> Hi.
>
> If you have the certifícate information you may use ssldump to decode the information. I hope this helps.
>
>
> Regards.
>
> -----Mensaje original-----
> De: PS [mailto:packetstack_at_gmail.com]
> Enviado el: viernes, 03 de febrero de 2012 12:11 p.m.
> Para: squid-users_at_squid-cache.org
> Asunto: [squid-users] Capturing HTTPS traffic
>
> Hello,
>
> I am currently running the following version of Squid:
>
> Squid Cache: Version 3.2.0.14-20120202-r11500 configure options: '--enable-ssl' '--enable-ssl-crtd'
>
> I configured it so that certs are generated on the fly and I am able to get to HTTPS websites without getting a certificate warning.
>
> I want to do a packet capture of all HTTPS traffic while in cleartext. I would think that it can be done on the Squid box. Is that possible?
>
> If I use tcpdump on the Squid box, I only see the encrypted traffic. Do I have to recompile Squid with another configuration option to be able to do what I want to do?
>
> Thanks
Received on Fri Feb 03 2012 - 18:56:00 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 04 2012 - 12:00:02 MST