Hi, I am trying my hands on ssl_bump and it's almost working, but that's ish-ish.. because I have several problems.
I even wonder if this config is correct: *acl step1 at_step SslBump1* *acl step2 at_step SslBump2* *acl step3 at_step SslBump3* *acl ssl_bump_broken_sites dstdomain "/usr/local/etc/squid/ssl_bump_broken_sites.txt"* *ssl_bump none ssl_bump_broken_sites* *acl step1 at_step SslBump1* *ssl_bump peek step1* *ssl_bump stare step2* *ssl_bump bump all* *sslproxy_capath /etc/ssl/certs* *sslproxy_cert_error allow all* *#sslproxy_cert_error deny all* *sslproxy_flags DONT_VERIFY_PEER* *sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt* <cut> The following error was encountered while trying to retrieve the URL: https://org.ke.m-pesa.com/* *Failed to establish a secure connection to 196.201.214.212* The system returned: (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. Your cache administrator is <odhia...@gmail.com> <%3codhia...@gmail.com%3e?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20gw.crownkenya.com%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20(92)%20Protocol%20error%0D%0ATimeStamp%3A%20Wed,%2020%20Apr%202016%2013%3A22%3A02%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.54.63%0D%0AServerIP%3A%20196.201.214.212%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%20196.201.214.212%3A443%0D%0A%0D%0A%0D%0A> . </cut> I thought I could mitigate that with the: *acl ssl_bump_broken_sites dstdomain "/usr/local/etc/squid/ssl_bump_broken_sites.txt"* *ssl_bump none ssl_bump_broken_sites* ..but that doesn't do it... Secondly, I had to import my CA to all devices (as a trusted CA) on the network so that they don't get the MITM notification. This is a challenge, because I have to do the same for smart phones too, and that is not easy. People don't like intrusive changes. For example on Android phone, you have to set screen security before you can import such a CA, and after you do, you cannot disable the screen security! Now, that is not something people want. Another issue is that we allow guests who come in to the premises to use our Wi-Fi (on a different SSID). Without them importing the CA, they get the MITM notification and cannot browse. This is because they get assigned IPs in the same subnet we use in the office. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users