• Recent Articles

    Using Squid to Proxy SSL (SSL Bumping) sites in Amazon Linux 2

     It is recommended to configure SSL Bumping in the Squid service to handle encrypted connections. If SSL Bumping is not configured, the proxy server cannot intervene in the process of establishing an encrypted connection. 


    SSL Bumping requires an SSL certificate and a private key in PEM format. 

    1. Go to the tmp folder. To do so, execute the command:

      mkdir /tmp/ssl_cert1

      cd /tmp/ssl_cert1

    2. Create a self-signed SSL certificate. To do so, execute the command:

      openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.key -out squid-ca-cert.crt

      You will be prompted to fill in the fields of the self-signed SSL certificate.

    3. Please fill in the fields of the self-signed SSL certificate.

      The certificate file squid-ca-cert.crt and private key file squid-ca-key.key will be created in PEM format.

    4. Convert the certificate file into a trusted certificate in DER format so that it can be imported into a browser. To do so, execute the command:

      openssl x509 -in squid-ca-cert.crt -outform DER -out squid-dhparam.der

    The self-signed SSL certificate will be created.

    To configure SSL Bumping in the Squid service: We are working on squid 4

    1. Make sure that the utilized Squid service supports the necessary options. To do so, execute the command:

      squid -v

      The configure options parameter must contain the --enable-ssl-crtd and --with-openssl values.

    2. Now combine the files:

      cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem


      Then move the file to a location squid can read:

      $ sudo mv squid-ca-cert-key.pem /etc/squid/ssl_cert/
      $  sudo chown squid:squid -R /etc/squid/ssl_cert/

    3. Generate the settings file for the Diffie-Hellman algorithm. To do so, execute the command:

                        openssl dhparam -outform PEM -out /etc/squid/ssl_certs/squid-dhparam.pem 2048

        4.         Configure the permissions for using an SSL certificate file.

    • chown -R squid:squid /etc/squid/ssl_cert/

      chmod 400 /etc/squid/ssl_cert/*

        5.  top the Squid service if it is running. To do so, execute the command:

            service squid stop

    6. Create a directory for the certificate database and initialize the database. To do so, run the following commands

    mkdir -p /var/lib/squid

    rm -rf /var/lib/squid/ssl_db

    /usr/lib64/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB

    chown -R squid:squid /var/lib/squid

    7. In the /etc/squid/squid.conf configuration file, make the following changes:

    1. Add the following directives to the beginning of the file or before the first http_access directive:

      acl intermediate_fetching transaction_initiator certificate-fetching

      http_access allow intermediate_fetching

    2. Add the following directives to the end of the file

    sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB

    sslproxy_cert_error allow all

    ssl_bump stare all

    sslcrtd_children 5

    ssl_bump server-first all

    sslproxy_cert_error allow all

    c.    Replace the http_port directive with the following:

    http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/ssl_certs/squid-ca-cert.crt tls-key=/etc/squid/ssl_certs/squid-ca-key.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/ssl_certs/squid-dhparam.der

    8.    Restart the Squid service. To do so, execute the command:

    service squid restart

    Configuration of SSL Bumping in the Squid service is now complete.

    Trust the CA:

    1. Install the ca-certificates package: yum install ca-certificates
    2. Enable the dynamic CA configuration feature: update-ca-trust force-enable
    3. Add it as a new file to /etc/pki/ca-trust/source/anchors/: cp squid-ca-cert.crt /etc/pki/ca-trust/source/anchors/
    4. Use command: update-ca-trust extract


    curl --proxy http://<squid-host-ip>:3128 --cacert /etc/pki/tls/certs/squid-ca-cert.pem https://google.com

    No comments