Hello All.
My goal is to do ssl bumping in transparent proxy mode with domain
exclude possibility.
Let me tell you about squid's strange behaviour when I'm trying to do it.
In browsers it says something like this:
/This server could not prove that it is www.ukr.net; its security
certificate is from212.42.76.253. This may be caused by a
misconfiguration or an attacker intercepting your connection.//
//NET::ERR_CERT_COMMON_NAME_INVALID//
//Subject: 212.42.76.253//
/
Looks like squid takes the CN from the certificate as IP address of the
destination domain.
But, everything works smoothly when I use proxy in non transparent mode
and put it to the browser directly . I can successfully bypass bad sites
and do ssl bumping on others. There are no certificate errors except of
some of them, you know)
My OS is /Centos 6.5 //2.6.32-358.6.2.el6.x86_64/
My squid's version:
//opt/squid/sbin/squid -v//
//Squid Cache: Version 3.5.0.2//
//Service Name: squid//
//configure options: '--with-openssl' '--enable-linux-netfilter'
'--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd'
'--prefix=/opt/squid' '--enable-external-acl-helpers=none'
'--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for'
'--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2'
'--enable-snmp'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience//
/
My iptables which is doing redirecting to internal squid ports: /
//Table: nat//
//Chain PREROUTING (policy ACCEPT)//
//num target prot opt source destination//
//1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.121 tcp dpt:443 /*
accept connection *///
//2 REDIRECT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp
dpt:443 /* redirect */ redir ports 3132//
//3 ACCEPT tcp -- 0.0.0.0/0 192.168.0.121 tcp dpt:80 /*
accept connection *///
//4 REDIRECT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:80
/* redirect */ redir ports 3131/
Here is my squid configuration file:
___________________________
visible_hostname local.local
always_direct allow all
dns_nameservers 8.8.8.8
acl step2 at_step SslBump2
ssl_bump stare step2 all
acl sslBumpDeniedDstDomain dstdomain ukr.net www.ukr.net
ssl_bump splice sslBumpDeniedDstDomain
ssl_bump bump all
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem
http_port 3131 transparent
https_port 3132 transparent ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem
http_access allow all
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /opt/squid/var/ssl_db -M 4MB
sslcrtd_children 15
logformat logaccess [%{%d/%b/%Y %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm
%ru %un %Sh/%<A %mt
access_log daemon:/opt/squid/var/logs/access.log logaccess
______________________________________________________
Also, I've run squid like this *//opt/squid/sbin/squid -N -X -d 2/* and
got interesting strings like:
/2014/11/26 04:28:08.622| client_side.cc(3849)
httpsSslBumpAccessCheckDone: sslBump needed
for//*local=212.42.76.246:443*////*remote=192.168.0.122:63719*//FD 40
flags=33 method 5/
Here, the local and remote IP addresses are switched (I checked such
lines when went through the squid directly).
Please, tell me what can be wrong in configuration or squid. I can
provide you with any logs which you may need.
BTW, cache.log is clean.
________________
Best regards
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
