On Thu, Aug 4, 2016 at 10:20 AM Alex Rousskov < rouss...@measurement-factory.com> wrote:
> On 08/03/2016 08:45 PM, JR Dalrymple wrote: > > > To be brutally honest the whole concept is still a bit lost on me > > [rant]Admitting one's limitations is often the most difficult first > step, but please do not stop here! Suggestions for where to go next: Ask > good questions, do not accept answers you do not fully understand, > provide excellent debugging info, and carefully update Squid wiki as you > master the concept. Repeat as needed. > > IMHO, without solid SslBump understanding and providing good debugging, > you confine yourself to the endless copy-pasting of random config > snippets that usually do something you do not want and do not do > something you do want. Your ability to troubleshoot problems (and there > will be problems!) approaches zero in this case. > > Most Squid-related concepts are easy and can be brute-forced by > trial-and-error. SslBump is different.[/rant] > > > > I'm still having issues I'm afraid - albeit different issues. My problem > > now reads a lot like this guys issue: > > https://www.mail-archive.com/misc@openbsd.org/msg144692.html > > That email thread does not have enough info to know what the problem > really is and contains a seemingly bogus (or at least very poorly > detailed) solution. In other words, this is one of the many SslBump > threads you may be better off ignoring for now. > > > > My browser just times out and no > > auto-generated certificate is ever generated. > > > ssl_bump stare all > > ssl_bump bump all > > Sounds like a good start to me, provided you _understand_ what these > rules do and why this simple configuration is equivalent to the more > complex one! > > > > I've > > turned off the debugging as I wasn't getting anything terribly useful > > out of it. > > That's fine if you want folks to keep guessing what your problem is. If > you want more efficient help, use the latest Squid, isolate the problem > to a single HTTPS transaction, and share the corresponding ALL,9 log: > > > http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction > > > HTH, > > Alex. > > Thanks for the encouragement Alex, I was doing single transaction debugging all along as this is currently configured in a lab with a single client. I've gotten it working at this point, but not due to diligent debugging I'm afraid - more just a lucky shot in the dark. I reconfigured my system and lab network to perform the bump on intercepted traffic. It *just works*. I honestly don't care to backtrack and debug direct proxy requests as it wasn't part of my planned end-state anyway. For posterity's sake, here are the relevant parts of my working configuration: /etc/pf.conf: pass in proto tcp to any port 80 divert-to 127.0.0.1 port 3128 pass in proto tcp to any port 443 divert-to 127.0.0.1 port 3129 squid.conf: http_port 127.0.0.1:3128 intercept https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem # /usr/local/squid/sbin/squid -v Squid Cache: Version 3.5.20 Service Name: squid configure options: '--enable-icmp' '--enable-delay-pools' '--enable-pf-transparent' '--enable-ssl-crtd' '--enable-auth' '--with-openssl' --enable-ltdl-convenience # uname -a OpenBSD router.example.local 5.9 GENERIC#1761 amd64 Thanks again for all your help.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
