I have found that the ssl_bump/sslcrtd does not work as expected on freebsd when used for MITM intercept ssl proxy. I am using the following squid config with a rdr in pf firewall:
http_port 3128 intercept connection-auth=off ssl-bump cert=/local/certs/proxy.local.pem key=/local/certs/proxy.local.pem # Strips https and sends request as http to server, but keeps https to client https_port 3129 intercept connection-auth=off ssl-bump cert=/local/certs/proxy.local.pem key=/local/certs/proxy.local.pem always_direct allow all follow_x_forwarded_for allow all forwarded_for on acl localhost src 127.0.0.1/32 ::1 ssl_bump deny localhost ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /local/libexec/squid/ssl_crtd -s /local/squid/ssl_db -M 4MB sslcrtd_children 5 What happens is the https connect is sent to clients from squid and the ssl is stripped on the proxy request that goes out. It basically strips ssl but makes it appear that the client is connected via ssl... This could be a bad thing :) Maybe someone can take a look at this and explain why sslcrtd/ssl_bump does not create an ssl proxy request but instead just goes http ? Thanks. Mike
