So I took the advice of those here to get explicit working first, so here's my first attempt. My test environment is Ubuntu 15.04 Server as the squid server with virtualbox running on it with Kali linux as the client. Here's my Squid 3.5.4 configure line:
/configure --prefix=/opt --enable-icap-client --with-openssl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none Full squid.conf: ##################################### acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_access allow all sslproxy_cert_error allow all sslproxy_cert_error deny all sslproxy_capath /etc/ssl/certs sslproxy_flags DONT_VERIFY_PEER sslproxy_options ALL sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 http_port 3129 ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE external_acl_type sni ttl=30 concurrency=10 children-max=20 children-startup=5 %ssl::>sni /opt/etc/squid/bumphelper.py acl sni_exclusions external sni acl tcp_level at_step SslBump1 acl client_hello_peeked at_step SslBump2 ssl_bump peek tcp_level all ssl_bump splice client_hello_peeked sni_exclusions ssl_bump bump all logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %ssl::bump_mode %ssl::>sni %ssl::>cert_subject access_log syslog:daemon.info mine refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /opt/var ##################################### bumphelper.py: ##################################### #!/usr/bin/python import sys while True: req = sys.stdin.readline() if not req: break id, sni = req.split() sys.stderr.write('request %r\n' % req) sys.stderr.flush() if sni == 'google.com': # bypass sys.stdout.write('{} OK\n'.format(id)) sys.stdout.flush() else: sys.stdout.write('{} ERR\n'.format(id)) sys.stdout.flush() ##################################### The tests: root@kali:~/test# wget -d https://www.google.com ###################################### DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' URI encoding = `UTF-8' --2015-05-28 17:44:31-- https://www.google.com/ Connecting to 192.168.1.6:3129... connected. Created socket 4. Releasing 0x092c6730 (new refcount 0). Deleting unused 0x092c6730. ---request begin--- CONNECT www.google.com:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) ---request end--- proxy responded with: [HTTP/1.1 200 Connection established ] ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: www.google.com Connection: Close Proxy-Connection: Keep-Alive ---request end--- Proxy request sent, awaiting response... ---response begin--- HTTP/1.1 503 Service Unavailable Server: squid/3.5.4 Mime-Version: 1.0 Date: Thu, 28 May 2015 23:44:33 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3899 X-Squid-Error: ERR_SECURE_CONNECT_FAIL 32 Vary: Accept-Language Content-Language: en X-Cache: MISS from analysis Via: 1.1 analysis (squid/3.5.4) Connection: close ---response end--- 503 Service Unavailable URI content encoding = `utf-8' 2015-05-28 17:44:32 ERROR 503: Service Unavailable. ######################################## access.log entry for the above wget: ##################################### May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] "CONNECT www.google.com:443 HTTP/1.1" 200 0 TAG_NONE:HIER_DIRECT peek www.google.com - May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] "GET https://www.google.com/ HTTP/1.1" 503 4242 TAG_NONE:HIER_NONE - www.google.com - ##################################### sudo /opt/sbin/squid -d 1 -N -f /opt/etc/squid/squid.conf ###################################### 2015/05/28 17:44:33| Error negotiating SSL on FD 14: error:00000000:lib(0):func(0):reason(0) (5/-1/32) ###################################### I see the same type of thing for apple.com and yahoo.com. I'm assuming this is HSTS, but I could be wrong. MSN however works fine with the above: root@kali:~/test# wget -d https://www.msn.com ###################################### DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' URI encoding = `UTF-8' --2015-05-28 18:24:50-- https://www.msn.com/ Connecting to 192.168.1.6:3129... connected. Created socket 4. Releasing 0x0a6493c0 (new refcount 0). Deleting unused 0x0a6493c0. ---request begin--- CONNECT www.msn.com:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) ---request end--- proxy responded with: [HTTP/1.1 200 Connection established ] ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: www.msn.com Connection: Close Proxy-Connection: Keep-Alive ---request end--- Proxy request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK ###################################### May 28 18:24:51 analysis squid: 192.168.1.91 - - [28/May/2015:18:24:51 -0600] "CONNECT www.msn.com:443 HTTP/1.1" 200 0 TAG_NONE:HIER_DIRECT peek www.msn.com - May 28 18:24:52 analysis squid: 192.168.1.91 - - [28/May/2015:18:24:52 -0600] "GET https://www.msn.com/ HTTP/1.1" 200 38613 TCP_MISS:HIER_DIRECT bump www.msn.com - ###################################### I found that adding %ssl::bump_mode to logging sure helped out with where I was at in the steps. I also tried the new acl ssl::server_name instead of using the external helper, but I got the same results with google, yahoo, and apple. Even setting ssl_bump splice all didn't work well...it appears that yahoo, google, and apple are peek resistant. I'll keep digging. Thank you. James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users