Hi all, I'm trying to use these two features at the same time. The use case is pretty simple. I want to capture all traffic from a single source (a device of mine) to another squid proxy server and decrypt/log it. I'm using the Ubuntu 20 package of squid-ssl version 4.13. Device -> ssl_bump proxy -> upstream proxy -> website It was all successfully working without ssl_bump, so the cache_peer configuration works. One side note: the parent proxy is running on 443 without SSL (I believe - I don't run it but I've asked those that do for confirmation, but I do know it's a pretty standard destination proxy configuration). The website itself is not directly accessible thus the upstream proxy is required. Adding the ssl_bump configuration caused it to not work, with errors about SSL versions and "Error negotiating SSL connection on FD xx". My best guess is that it is attempting to establish an SSL connection to the upstream and failing. acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all http_port 3128 ssl-bump cert=/var/lib/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls_outgoing_options options=NO_SSLv3 flags=DON'T_VERIFY_PEER,DONT_VERIFY_DOMAIN cert=/var/lib/squid/ssl_cert/device.pem key=/var/lib/squid/ssl_cert/client.key
(client.key and client.pem are from the device and are needed due to the authentication of the session at the destination server. Also, I haven't looked at the packet logging yet. I assume that will be an easy addition once the setup works generally.) However, my understanding is that the cache_peer configuration should NOT do TLS by default unless that was specified in the options, and I see no way to explicitly disable it. So first question: is that assumption accurate? No TLS to the parent unless explicitly configured? And if the ssl_bump configuration is causing it to attempt an upstream TLS connection, how can I force it off? Anything here that I'm doing obviously wrong? I appreciate any and all suggestions. Thanks!
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
