Re: [squid-users] Capturing HTTPS traffic

From: PS <packetstack_at_gmail.com>
Date: Sun, 5 Feb 2012 17:10:11 -0500

If that's the case, would there be any possible way for me to get the decrypted packets?

On Feb 5, 2012, at 2:37 PM, James R. Leu wrote:

> I do not have sslbump working yet, but as I understand it the packets
> on the wire are always encrypted. The only place the information exists
> in a decrypted form is in squids memory. Just think of squid as a bridge
> between two SSL streams.
>
> On Sun, Feb 05, 2012 at 02:12:44PM -0500, PS wrote:
>> I tried using ssldump and tshark and I can't seem to get this working. I am using squid's private key to try to decrypt the traffic.
>>
>> The connection goes from the client (192.168.2.2) to squid server (192.168.2.1) on port 3128. If I understand correctly, the client establishes a connection with squid on port 3128 and then squid establishes a connection with https://www.gmail.com on port 443.
>>
>> Shouldn't I be able to decrypt the connection between the client and the squid server in order to see the traffic that is being sent to gmail?
>>
>> On Feb 3, 2012, at 2:08 PM, "Alfonso Alejandro Reyes Jimenez" <aareyes_at_scitum.com.mx> wrote:
>>
>>> Sorry. SSLDUMP is like tcpdump but for ssl, it Works on layer 3 and has nothing to do with squid, that what we use.
>>>
>>> Regards.
>>>
>>>
>>>
>>> -----Mensaje original-----
>>> De: PS [mailto:packetstack_at_gmail.com]
>>> Enviado el: viernes, 03 de febrero de 2012 12:56 p.m.
>>> Para: Alfonso Alejandro Reyes Jimenez
>>> CC: squid-users_at_squid-cache.org
>>> Asunto: Re: [squid-users] Capturing HTTPS traffic
>>>
>>> Could you please be a little more specific? Is there something else called ssldump that I am supposed to use?
>>>
>>> This is what my config looks like. I am currently using ssl_bump.
>>>
>>>
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7 # RFC 4193 local private network range
>>> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/squid.pem
>>> always_direct allow all
>>> ssl_bump allow all
>>> sslproxy_cert_error allow all
>>> sslproxy_flags DONT_VERIFY_PEER
>>> coredump_dir /usr/local/squid/var/cache/squid
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /usr/local/squid/var/logs/access.log squid
>>>
>>> Thanks for the quick response!
>>>
>>> On Feb 3, 2012, at 1:20 PM, Alfonso Alejandro Reyes Jimenez wrote:
>>>
>>>> Hi.
>>>>
>>>> If you have the certifícate information you may use ssldump to decode the information. I hope this helps.
>>>>
>>>>
>>>> Regards.
>>>>
>>>> -----Mensaje original-----
>>>> De: PS [mailto:packetstack_at_gmail.com] Enviado el: viernes, 03 de
>>>> febrero de 2012 12:11 p.m.
>>>> Para: squid-users_at_squid-cache.org
>>>> Asunto: [squid-users] Capturing HTTPS traffic
>>>>
>>>> Hello,
>>>>
>>>> I am currently running the following version of Squid:
>>>>
>>>> Squid Cache: Version 3.2.0.14-20120202-r11500 configure options: '--enable-ssl' '--enable-ssl-crtd'
>>>>
>>>> I configured it so that certs are generated on the fly and I am able to get to HTTPS websites without getting a certificate warning.
>>>>
>>>> I want to do a packet capture of all HTTPS traffic while in cleartext. I would think that it can be done on the Squid box. Is that possible?
>>>>
>>>> If I use tcpdump on the Squid box, I only see the encrypted traffic. Do I have to recompile Squid with another configuration option to be able to do what I want to do?
>>>>
>>>> Thanks
>>>
>
> --
> James R. Leu
> jleu_at_mindspring.com
Received on Sun Feb 05 2012 - 22:10:20 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 06 2012 - 12:00:01 MST