Squid MitM: ssl-bump missing



  • Hello,

    Well… finally squid + squidGuard worked fine for me but for some reason it stopped working and I could not find a solution for myself. Hopefully someone could help me, please.

    I have the following settings (most important ones):

    • Proxy interfaces: LAN + loopback
    • Proxy port: 3128
    • Transparent HTTP mode: enabled
    • SSL/MITM Mode: Splice All
    • Transparent proxy interface: LAN (unable to select loopback)
    • SSL Proxy Port: 3228

    When I invoke the squid command from the command line, squid will complain about ssl-bump missing and prints a fatal error regarding to the https_port (please see below).

    It worked before and I already have re-installed squid + squidGuard. I have also uninstalled en re-installed both. I have also removed the config files (which was not such a clever thing as the config is saved in the config.xml file... ah well, at least the config files have been regenerated from the xml).

    I could not find a way to install ssl-bump. I have tried to find it (pkg command) but could not find it.

    Some help/guidance would be very much appreciated. Thank you!

    [2.3.4-RELEASE][admin@router.alpha.inet]/root: squid -z
    2017/09/10 23:02:41| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing.
    FATAL: Bungled /usr/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3228 intercept
    Squid Cache (Version 3.5.26): Terminated abnormally.
    CPU Usage: 0.038 seconds = 0.038 user + 0.000 sys
    Maximum Resident Size: 55696 KB
    Page faults with physical i/o: 0

    [2.3.4-RELEASE][admin@router.alpha.inet]/root: squid -z
    2017/09/10 23:05:41| Squid is already running!  Process ID 59688


  • Banned

    Uncheck the loopback interface.



  • Many thanks for your reply. I have tried your suggestion. Unfortunately this results in similar behaviour.

    [2.3.4-RELEASE][root@router.alpha.inet]/var/squid/logs: squid -z
    2017/09/11 22:45:48| FATAL: tproxy/intercept on https_port requires ssl-bump which is missing.
    FATAL: Bungled /usr/local/etc/squid/squid.conf line 6: https_port 127.0.0.1:3228 intercept
    Squid Cache (Version 3.5.26): Terminated abnormally.
    CPU Usage: 0.037 seconds = 0.037 user + 0.000 sys
    Maximum Resident Size: 56512 KB
    Page faults with physical i/o: 0

    Do you know if it is feasible to run Squid without the transparent feature and to use NAT and/or firewall rules to forward requests? For example forward traffic for port 80 to port 3128 and port 443 to 3228?

    I have already tried some settings. What I have done is created my own anti lockout rule, then disabled the default anti lockout rule and next added the port forwards (as described above). Although it seems to work squid reports and illegal URL (it seems to see only a forward slash).

    I am hoping the above is feasible one way or another. I like to experiment with pfSense but I still have to learn a lot.

    I also do not understand the message regarding to "ssl-bump". Do I need to install some library? I can't find much about ssl-bump online.

    Many thanks for you help.


  • Banned

    This works out of the box for everyone but you. Perhaps post some screenshots of what you configured where and the entire squid.conf file.

    And no, you don't install any library. Would also suggest to stop messing with the firewall, you are just creating conflicts with the transparent Squid which handles the required firewall rules on its own.



  • @doktornotor:

    This works out of the box for everyone but you….

    and me…
    I have never been able to get this conf working unless the use of  WPAD.



  • Okay! I have got everything up and running.

    I wiped my firewall and started over again.
    In the end I think I have found the problem…
    I had selected the ACME / Let's Encrypt CA  :-[



  • Banned

    Erm, well yes, this must be a CA you have a private key to, so that it can issue certificates. Needs input validation.


  • Banned

    0.4.42 no longer allows users to select unusable certs/CAs.