SSLBUMP without MITM
-
Thanks for the fantastic work Doktornotor. I am loving the new updates to Squid and how user friendly you are making it. Even the small things like the explanation. Helps me out a lot! Thanks again mate!
EDIT : I'm having issues with splice all messing up certain apps such as Telegram, or Instagram (sometimes). On Telegram it was getting no connection to their servers at all, I turned off the splice all setting. Everything worked perfectly, put it back on, messages went through, images didn't work. Turned splice all off, images, everything worked…It's very strange.
-
Not using Telegram or Instagram (or Facebook, or Twitter). Will be of no help there. Maybe someone else.
-
Apparently it wouldn't, because it's already there (twice - at the checkbox info and at the textarea info), but you still didn't read it. :P (Try clicking the blue "i")
Actually I did read them, but the descriptions didn't seem to be fully clear to me. ???
I do appreciate the updates however - they're working great. 8)
-
Hi All, please can someone explain which settings on the GUI I should change to be able to do same SSLbump without MITM like the OP? I too don't want any certs on clients but want to block HTTPS sites.
-
-
@Bismarck, I've tried this. There are still so many SSL cert errors on the workstations. Are there any other fine-tuning I could do?
-
@kopraasbotha said in SSLBUMP without MITM:
SSL cert errors
There should none, what kind of SSL cert errors you get, example?
-
@Bismarck thanks for the quick reply. I get the below:
-
This looks like SslBump and not like SpliceAll, to me but I'm not a real Sqiud "Pro" tbh.
Do you have any custom config setup?
Please post the "# SslBump Peek and Splice" part of your /usr/local/etc/squid/squid.conf
-
@Bismarck i didn't add any custom config. Here's the "sslbump peek and splice" config:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl allowed_subnets src 10.11.0.0/21 10.0.0.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhosthttp_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports -
Yep, your config is SslBump and not Splice, but dunno why. Maybe some more expert can chime in.
https://wiki.squid-cache.org/Features/SslPeekAndSplice
-
@Bismarck ,thanks for the help. I saw the ssl_bumps just underneath "custom options before auth" but there's a 2 line space between this section and the config so not sure if it's part of it.
Custom options before auth
acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
ssl_bump peek step1
ssl_bump splice all
