Bypass ssl-bump on squid3-dev
-
Hi all,
I installed squi3-dev 3.3.8 pkg 2.2 on my pfsense 2.1 box (AMD64) and I activated the "SSL man in the middle Filtering" in transparent mode.
After allowing use of IPv6 and fetching the appropriate missing libs from marcelloc's server, everything runs just fine, except for a few websites (like banking sites) where ssl-bumping prevents me to access properly to some areas.
To avoid this, I would like to either disable ssl-bumping (without completely bypassing the proxy) for some destination domains (on the web) OR disable ssl-bumping for some source IPs (on my LAN).
I suspect I would need to tweak squid's configuration with custom options but whose I've tried (beeing inspired by
http://www.squid-cache.org/Doc/config/ssl_bump/ ) just won't do the trick.Any help would be appreciated (marcelloc, I think this one's for you ;))
-
whitelisted sites are excluded from ssl-bump acl.
Just remember that squid wildcard is a dot. So to allow onlinebank.com include this way
onlinebank.com <- allow onlinebank.com site
.onlinebank.com <- allow any site on onlinebank.com -
Thanks for your quick answer marcelloc.
I tried to put the sites in the whitelist but it don't do the trick. :(
Even after a reboot of the pfSense box, the certificates of the sites that should normally bypass SSL filtering are still signed by the CA of pfSense.Is there maybe a way to have one (or more) IP on my LAN to bypass SSL filtering (but not regular HTTP transparent proxy)?
-
Source ip exception will skip client for both http and https proxy.
I'll do more testes as soon as possible.
-
I also tried (without success :-) to paste the following into the 'custom options' field:
acl bypass_ssl dstdomain .onlinebank.com acl bypass_ssl dstdomain .anotherbank.com ssl_bump none bypass_ssl ssl_bump server-first all… same (lack of :-\ :-) result with the following in an attempt to bypass ssl bump for an IP on my LAN
acl bypass_ssl src 192.168.0.100/24 ssl_bump none bypass_ssl ssl_bump server-first allI'll continue investigating, maybe by trying to use WPAD instead of ssl bumping
-
Can you test these settings with and without transparent mode?
-
Sorry, but I've been busy these days. ::)
I just did some tests with an without transparent proxy and it seems that bypassing SSL bump just don't work in either case.
I think I'll give up SSL filtering for the moment and wait until a more stable version of squid is available… -
Hi, sorry to dig up a old post but is ssl-bump bypassing on squid3-dev working? Been trying to get windows update working and i am unable to bypass the ssl-bump for windows updates (or adobe updates or installs) either with adding domains in the acls white list or by
acl broken_sites dstdomain .update.microsoft.com acl broken_sites dstdomain .ds.download.windowsupdate.com acl broken_sites dstdomain .swupdl.adobe.com acl broken_sites dstdomain .ccmdl.adobe.com ssl_bump none broken_sites always_direct allow all ssl_bump server-first allAny ideas?
-
Windows activation sites also not bump squid stopping services
http://support.microsoft.com/kb/921471
Here my config
Custom ACLS (Before_Auth)acl broken_sites dstdomain .update.microsoft.com acl broken_sites dstdomain .ds.download.windowsupdate.com acl broken_sites dstdomain .activation.sls.microsoft.com acl broken_sites dstdomain .swupdl.adobe.com acl broken_sites dstdomain .ccmdl.adobe.com ssl_bump none broken_sites http_access allow localnet always_direct allow all ssl_bump server-first allCustom ACLS (After_Auth)
always_direct allow all ssl_bump server-first allIf im delete acl broken_sites dstdomain .activation.sls.microsoft.com squid service working so good but if im include that code squid service stopping
-
-
Hi,
I have the same problem that I cannot define ssl_bump overrides.
There are no errors in the cache.log or access.log -
It is working with destionation ip's:
as example: acl broken_ip dst 199.83.131.101
it is showing its original cert.so to make an exception list I think the point is reverse dns.
-
can you pleas dear sir explai how to?
-
I found out, that as example I cannot bypass *.windowsupdate.com or *.google.com.
Please note the wildcard is just for understanding, in the acl it should look like this .google.com
can anyone please test if he is able to bypass this url https://login.salesforce.com ?
This is one of the urls which can be bypassed without any problems.I think it comes to errors when you try to bypass a hostname which has more ip-adresses.
-
It is working with destionation ip's:
as example: acl broken_ip dst 199.83.131.101Maybe related to transparent proxy. As squid does not know the dns/fqdn before interception.
-
yes and no.
He has to generate a certificate for the required domain when bumping server-side first, it is a wildcard generated for the correct domain and not the ip.
I forgot to mention thatyou have to enable resolv dns4 first.
-
Hello everyone !
I'm looking for weeks about this issue too… and still have no answer. Here is my configuration : pfsense 2.2, squid3 v3.4.10_2 (pkg 0.2.6).
If configure squid like that : proxy my whole LAN, resolv dns v4 first, transparent http proxy on all interface except WAN, bypass proxy for private addresses. About SSL Interception : enabled on all interface except on WAN with a self-signed certificat (which is included in trusted authority on all computer), adapt certificate "Not before" and I do not check the remote certificate (for test).Under 'Custom ACLS, before_auth, I try to avoid ssl_bumping for .microsoft.com (for testing purpose).
The Squid service start normaly but when I access to https://www.microsoft.com, it's still be singned with my own CA, so the exception is not working.Could anyone help me to make this exception working ?
PS: Microsoft KB about ssl exclusion for Windows update, which is my main problem actually : https://support.microsoft.com/kb/885819
-
You could try to make an exception list based on ip's.
-
First of all you should not proxy these at all.
-
He does not want to proxy them, but the problem is the bypass with fqdn's. (acl dstdomain isn't working as it should).