Hi, sslbump allows me to interrupts ssl connections and run an AV check on them. It generates a certs for the target domain (via sslcrtd), so that the users browser sees a server cert signed by the proxy.
If the target domain has a certificate that is expired, or it not signed by a recognised CA, its important that the lack of trust is communicated to the end user. Example, on connecting direct (not via a proxy) to https://wiki.squid-cache.org the certificated presented is expired 2 years ago and not signed by known CA . Noext on connecting via a sslbump proxy (v3.2.0.14), the proxy creates a valid cert for wiki.squid-cache.org and in the user's browsers it looks like wiki.squid-cache.org has a valid cert signed by the proxy. So my question is: What ssl_bump settings would allow the proxy to handle such destinations with expired or non trusted sites by, for example: a) Not bumping the connection but piping it through to the user unchanged, so the user browser notices the invalid certs? b) Refuses the connection with a message to the user, if the destination is not on an allowed ACL of exceptions. Looking at squid.conf, there is sslproxy_flags, sslproxy_cert_error # TAG: sslproxy_flags # DONT_VERIFY_PEER Accept certificates that fail verification. # NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL. # TAG: sslproxy_cert_error # Use this ACL to bypass server certificate validation errors. So, the following config would then implement scenario b) above? # Verify destinations: yes, but allow exceptions sslproxy_flags DONT_VERIFY_PEER #sslproxy_flags none # ignore Certs with certain cites acl TrustedName url_regex ^https://badcerts.example.com/ sslproxy_cert_error allow TrustedName sslproxy_cert_error deny all ==> But then, why does it not throw an error when connecting to https://wiki.squid-cache.org ? Next I though it might be an idea to delete any cached certs and try again. Looking in /var/lib/squid_ssl_db/index.txt, there is an extra for the destination: V 121107103058Z 0757348E unknown /CN=www.squid-cache.org So, then I deleted 0757348E.pem to force a new cert to be generated, and restarted squid. Connecting to https://wiki.squid-cache.org/ resulted in a new cert being silently generated, stored in 075734AD.pem and the https connection signed. What am I going wrong? Finally had a look at the sources: sslproxy_flags led to Config.ssl_client.flags in cf_parser.cci which led to ssl_client.sslContext in cache_cf.cc to initiateSSL() in forward.cc and finally ssl_verify_cb in ssl/support.cc. There one finds nice debugs prefixed with "83", so, enabled high debugging for 83: debug_options ALL,1 83,20 23,2 26,10 33,4 84,3 Restarted squid, and watched with tail -f cache.log|egrep -i "SSL|certificate" but dont see certificate errors. Any suggestions? Thanks, Sean
