Table of Contents

Middleware

Squid SSL Bump



How to check compile option

The configure options parameter must contain the --enable-ssl-crtd and --with-openssl values.

# squid -v
Squid Cache: Version 3.4.5
configure options:  '--build=x86_64-redhat-linux-gnu' '--Host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'Host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches  -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches  -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


Squid Install

yum install gcc gcc-c++ openssl-devel -y
cd /usr/local/src
wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
tar xf squid-4.17.tar.gz
chown -R root. squid-4.17
cd squid-4.17
./configure --prefix=/usr/local/squid --enable-ssl-crtd --with-openssl --with-default-user=squid
make all
make install


Using OpenSSL to create certificates

cd /usr/local/squid/etc/
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
chown squid:squid myCA.pem
chmod 400 myCA.pem

/usr/local/squid/etc/squid.conf

#http_port 3128
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/etc/myCA.pem
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/var/cache/squid/ssl_db -M 16MB
sslcrtd_children 20
sslproxy_cert_error deny all
ssl_bump stare all
/usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/cache/squid/ssl_db -M 16MB
chown -R squid:squid /usr/local/squid/var/


Tips

Adding exclusions for SSL Bumping

/etc/squid/donotbump.list
example.com
test.example.com
.domain.com
/etc/squid/squid.conf
acl do_not_bump dstdomain "/etc/squid/donotbump.list"
ssl_bump splice do_not_bump


ssl_bump stare all


Reference