Bypass ssl-bump on squid3-dev

marcelloc

whitelisted sites are excluded from ssl-bump acl.

Just remember that squid wildcard is a dot. So to allow onlinebank.com include this way

onlinebank.com <- allow onlinebank.com site
.onlinebank.com <- allow any site on onlinebank.com

Derf

Thanks for your quick answer marcelloc.

I tried to put the sites in the whitelist but it don't do the trick.  :(
Even after a reboot of the pfSense box, the certificates of the sites that should normally bypass SSL filtering are still signed by the CA of pfSense.

Is there maybe a way to have one (or more) IP on my LAN to bypass SSL filtering (but not regular HTTP transparent proxy)?

marcelloc

Source ip exception will skip client for both http and https proxy.

I'll do more testes as soon as possible.

Derf

I also tried (without success  :-) to paste the following into the 'custom options' field:

acl bypass_ssl dstdomain .onlinebank.com
acl bypass_ssl dstdomain .anotherbank.com
ssl_bump none bypass_ssl
ssl_bump server-first all

… same (lack of  :-\ :-) result with the following in an attempt to bypass ssl bump for an IP on my LAN

acl bypass_ssl src 192.168.0.100/24
ssl_bump none bypass_ssl
ssl_bump server-first all

I'll continue investigating, maybe by trying to use WPAD instead of ssl bumping

marcelloc

Can you test these settings with and without transparent mode?

Derf

Sorry, but I've been busy these days.  ::)

I just did some tests with an without transparent proxy and it seems that bypassing SSL bump just don't work in either case.
I think I'll give up SSL filtering for the moment and wait until a more stable version of squid is available…

aGeekhere

Hi, sorry to dig up a old post but is ssl-bump bypassing on squid3-dev working? Been trying to get windows update working and i am unable to bypass the ssl-bump for windows updates (or adobe updates or installs) either with adding domains in the acls white list or by

acl broken_sites dstdomain .update.microsoft.com
acl broken_sites dstdomain .ds.download.windowsupdate.com
acl broken_sites dstdomain .swupdl.adobe.com
acl broken_sites dstdomain .ccmdl.adobe.com
ssl_bump none broken_sites

always_direct allow all
ssl_bump server-first all

Any ideas?

technical

Windows activation sites also not bump squid stopping services

http://support.microsoft.com/kb/921471

Here my config
Custom ACLS (Before_Auth)

acl broken_sites dstdomain .update.microsoft.com
acl broken_sites dstdomain .ds.download.windowsupdate.com
acl broken_sites dstdomain .activation.sls.microsoft.com
acl broken_sites dstdomain .swupdl.adobe.com
acl broken_sites dstdomain .ccmdl.adobe.com
ssl_bump none broken_sites
http_access allow localnet
always_direct allow all
ssl_bump server-first all

Custom ACLS (After_Auth)

always_direct allow all
ssl_bump server-first all

If im delete acl broken_sites dstdomain .activation.sls.microsoft.com squid service working so good but if im include that code squid service stopping

marcelloc

@TechnicaL:

if I include that code squid service stopping

What errors you get on cache.log?

webstor

Hi,

I have the same problem that I cannot define ssl_bump overrides.
There are no errors in the cache.log or access.log

webstor

It is working with destionation ip's:
as example: acl broken_ip dst 199.83.131.101
it is showing its original cert.

so to make an exception list I think the point is reverse dns.

marian78

can you pleas dear sir explai how to?

webstor

I found out, that as example I cannot bypass *.windowsupdate.com or *.google.com.

Please note the wildcard is just for understanding, in the acl it should look like this .google.com

can anyone please test if he is able to bypass this url https://login.salesforce.com  ?
This is one of the urls which can be bypassed without any problems.

I think it comes to errors when you try to bypass a hostname which has more ip-adresses.

marcelloc

@webstor:

It is working with destionation ip's:
as example: acl broken_ip dst 199.83.131.101

Maybe related to transparent proxy. As squid does not know the dns/fqdn before interception.

webstor

yes and no.

He has to generate a certificate for the required domain when bumping server-side first, it is a wildcard generated for the correct domain and not the ip.

I forgot to mention thatyou have to enable resolv dns4 first.

siceff

Hello everyone !
I'm looking for weeks about this issue too… and still have no answer. Here is my configuration : pfsense 2.2, squid3 v3.4.10_2 (pkg 0.2.6).
If configure squid like that : proxy my whole LAN, resolv dns v4 first, transparent http proxy on all interface except WAN, bypass proxy for private addresses. About SSL Interception : enabled on all interface except on WAN with a self-signed certificat (which is included in trusted authority on all computer), adapt certificate "Not before" and I do not check the remote certificate (for test).

Under 'Custom ACLS, before_auth, I try to avoid ssl_bumping for .microsoft.com (for testing purpose).
The Squid service start normaly but when I access to https://www.microsoft.com, it's still be singned with my own CA, so the exception is not working.

Could anyone help me to make this exception working ?

PS: Microsoft KB about ssl exclusion for Windows update, which is my main problem actually : https://support.microsoft.com/kb/885819

webstor

You could try to make an exception list based on ip's.

doktornotor

First of all you should not proxy these at all.

webstor

He does not want to proxy them, but the problem is the bypass with fqdn's. (acl dstdomain isn't working as it should).

doktornotor

You need to tell the client that they should not be proxied… Via proxy.pac plus GPO or whatever. Too late to mess with that once the traffic already hit the transparent proxy!