turgut kalfaoğlu
2018-09-04 16:44:43 UTC
Hello there. I have a transparent squid at my home to speed up the
browsing by caching stuff. And it works well for HTTP.
For HTTPS, I was only able to get it to "peek" and I'd like to able to
bump the connections.
I installed the server certificate on the client, but still, the browser
(firefox) keeps complaining:
Your connection is not secure
The owner of www.facebook.com has configured their website improperly.
To protect your information from being stolen, Firefox has not connected
to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox may only connect to it securely. As a result, it is not possible
to add an exception for this certificate.
Here is what I have:
#
# serverIsBank is a list of domains that are banks essentially. They
seem more picky.
#
ssl_bump splice serverIsBank
ssl_bump peek all
# ssl_bump bump all   # this does not work, it gives the error above..
https_port 3129 intercept ssl-bump \
       generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
       cert=/etc/squid/ssl_cert/tk2ca.pem
key=/etc/squid/ssl_cert/tk2ca.pem \
      sslflags=NO_SESSION_REUSE
tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
sslproxy_cert_error allow all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/lib/ssl_db -M $
sslcrtd_children 50 startup=5 idle=5
Thanks, -turgut
browsing by caching stuff. And it works well for HTTP.
For HTTPS, I was only able to get it to "peek" and I'd like to able to
bump the connections.
I installed the server certificate on the client, but still, the browser
(firefox) keeps complaining:
Your connection is not secure
The owner of www.facebook.com has configured their website improperly.
To protect your information from being stolen, Firefox has not connected
to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox may only connect to it securely. As a result, it is not possible
to add an exception for this certificate.
Here is what I have:
#
# serverIsBank is a list of domains that are banks essentially. They
seem more picky.
#
ssl_bump splice serverIsBank
ssl_bump peek all
# ssl_bump bump all   # this does not work, it gives the error above..
https_port 3129 intercept ssl-bump \
       generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
       cert=/etc/squid/ssl_cert/tk2ca.pem
key=/etc/squid/ssl_cert/tk2ca.pem \
      sslflags=NO_SESSION_REUSE
tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
sslproxy_cert_error allow all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/lib/ssl_db -M $
sslcrtd_children 50 startup=5 idle=5
Thanks, -turgut