squid3 ssl bumping server-first with signed certificate

Question

I'm trying to get Squid3.4 to do SSL Bumping with the server-first method. I followed this guide in alpinelinux.

I'm working in explicit mode (browser configurer to Go to the proxy) and that works well. I generate my Key, my CSR as well, rebuilded squid3 with --enable-sel and --enable-sel-crtd options and when I got back my certificate (I choosed a test one, valide for 1 month to do the POC) from COMODDO, I places it in my squid config.

Then I got the following error:

Dec 08 08:15:12 proxy squid3[2166]: No valid signing SSL certificate configured for http_port 192.168.10.4:3128                                                     
Dec 08 08:15:12 proxy squid3[2136]: Starting Squid HTTP Proxy 3.x: squid3FATAL: No valid signing SSL certificate configured for http_port 192.168.10.4:3128

Here My squid3 config

# Subnet defs in ACL                                                                                                                                                
acl wifi_lan src 192.168.11.0/24                                                                                                                                    
acl dmz_lan dst 192.168.10.0/24 0.0.0.0/32 ::1                                                                                                                      
acl dmz_lan_nas dst 192.168.10.5                                                                                                                                    
acl dmz_lan_proxy dst 192.168.10.4                                                                                                                                  

# Proto defs in ACL                                                                                                                                                 
acl SSL_ports port 443                                                                                                                                              
acl SSL_ports port 5001                                                                                                                                             
acl SSL_ports port 5006                                                                                                                                             
acl SSL_ports port 8443                                                                                                                                             
acl SSL_ports port 8444                                                                                                                                             

acl Safe_ports port 80          # http                                                                                                                              
acl Safe_ports port 21          # ftp                                                                                                                               
acl Safe_ports port 443         # https                                                                                                                             
acl Safe_ports port 70          # gopher                                                                                                                            
acl Safe_ports port 210         # wais                                                                                                                              
acl Safe_ports port 1025-65535  # unregistered ports                                                                                                                
acl Safe_ports port 280         # http-mgmt                                                                                                                         
acl Safe_ports port 488         # gss-http                                                                                                                          
acl Safe_ports port 591         # filemaker                                                                                                                         
acl Safe_ports port 777         # multiling http                                                                                                                    
acl Safe_ports port 5001        # Synology DSM                                                                                                                      
acl Safe_ports port 631         # CUPS                                                                                                                              
acl CONNECT method CONNECT                                                                                                                                          
acl netflix dstdomain *.netflix.com                                                                                                                                 
acl no_ssl_interception dstdomain .dropbox.com .hotmail.com nas.tourneur.be                                                                                         

# HTTP accesses                                                                                                                                                     
no_cache deny dmz_lan                                                                                                                                               
http_access allow manager localhost                                                                                                                                 
http_access deny manager                                                                                                                                            
http_access deny !Safe_ports                                                                                                                                        
http_access deny CONNECT !SSL_ports                                                                                                                                 
http_access allow dmz_lan_nas                                                                                                                                       
http_access allow dmz_lan_proxy                                                                                                                                     
http_access deny dmz_lan                                                                                                                                            
http_access allow localhost                                                                                                                                         
http_access allow wifi_lan                                                                                                                                          
http_access deny all                                                    

# System section                                                                                                                                                    
via off                                                                                                                                                             
forwarded_for off                                                                                                                                                   
pipeline_prefetch on                                                                                                                                                
connect_timeout 20 seconds                                                                                                                                          
coredump_dir /var/spool/squid3                                                                                                                                      
cache_mgr admin@example.com                                                                                                                                  
visible_hostname proxy.example.com                                                                                                                               
access_log syslog:user.warning                                                                                                                                      

# Connector sections                                                                                                                                                
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid3/ssldb -M 4MB                                                                                         
sslcrtd_children 12                                                                                                                                                 
redirector_access deny netflix                                                                                                                                      
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf                                                                                             
redirect_children 24                                                                                                                                                
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf                                                                                          
url_rewrite_children 10 startup=0 idle=1 concurrency=0                                                                                                              

cache_peer 127.0.0.1 parent 8118 7 no-query no-digest no-netdb-exchange                                                                                             
cache_peer_access 127.0.0.1 deny netflix                                                                                                                            
acl ftp proto FTP                                                                                                                                                   
always_direct allow netflix                                                                                                                                         
always_direct allow ftp                                                                                                                                             
never_direct allow all                                                                                                                                              
request_header_max_size 32 KB                                                                                                                                       
reply_header_max_size 32 KB                                                                                                                                         

# Cache section                                                                                                                                                     
cache_mem  256 MB                                                                                                                                                   
maximum_object_size_in_memory 1 MB                                                                                                                                  
cache_dir aufs /var/spool/squid3 16382 16 256                                                                                                                       
memory_replacement_policy heap LRU                                                                                                                                  
cache_replacement_policy heap LRU                                                                                                                                   

# ssl config                                                                                                                                                        
ssl_bump none localhost                                                                                                                                             
ssl_bump none no_ssl_interception                                                                                                                                   
ssl_bump server-first SSL_ports                                                                                                                                     
## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors                                          
sslproxy_cert_error allow all                                                                                                                                       
## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')                                                      
sslproxy_flags DONT_VERIFY_PEER                                                                                                                                     

http_port 192.168.10.4:3128 ssl-bump cert=/etc/squid3/keys/squid.crt key=/etc/squid3/keys/squid.key generate-host-certificates=on options=NO_SSLv2

Any idea what I'm doing wrong ?

Thx for tour help and admises :)

SELinux perhaps? [This thread](http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-No-valid-signing-SSL-certificate-configured-for-https-port-td4666538.html) mentions it. — Nathan C, Dec 08 '14 at 17:32

score 1 · Answer 1 · answered Dec 09 '14 at 08:20

In order to do the SSL Bump you must be using a self signed root certificate file. The one you mentioned from Comodo will never work.

SSL Bump does Man-In-The-Middle attack on the HTTPS connections when Squid contacts remote HTTPS server on your behalf and then mimics secure connection by faking the remote site certificate and signing it with the configured self sign root key. You also must install this self signed root certificate as trusted in all your browsers.

Steps to generate correct certificate are described at http://docs.diladele.com/administrator_guide_4_0/system_configuration/https_filtering/generate_certificates.html

score 0 · Answer 2 · answered Mar 01 '20 at 09:19

These are the steps for Ubuntu, you may adopt it for alpine Linux

Compile with following options

--enable-ssl
--with-openssl
--enable-ssl-crtd
--enable-security-cert-generators="file"

Generate ca cert and keys

mkdir /etc/squid/ssl_cert
chow proxy /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.key -out myCA.crt

Update /etc/squid/squid.conf

always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.crt key=/etc/squid/ssl_cert/myCA.key generate-host-certificates=on dynamic_cert_mem_cache_size=16MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB

Generate ssl_db before restarting squid

/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB

Start squid

systemctl restart squid