Configuring SSL Bumping in the Squid service

To configure SSL Bumping in the Squid service:

  1. Make sure that the utilized Squid service supports the necessary options. To do so, execute the command:

    squid -v

    The configure options parameter must contain the --enable-ssl-crtd and --with-openssl values.

  2. Go to the Squid service folder. To do so, execute the command:

    cd /etc/squid

  3. Create a self-signed SSL certificate. To do so, execute the command:

    openssl req -new -newkey rsa:2048 -days <certificate validity period in days> -nodes -x509 -keyout squidCA.pem -out squidCA.pem

    You will be prompted to fill in the fields of the self-signed SSL certificate.

  4. Please fill in the fields of the self-signed SSL certificate.
  5. Create a trusted certificate to be imported into a browser. To do so, execute the command:

    openssl x509 -in squidCA.pem -outform DER -out squid.der

  6. Import the squid.der file into the browsers of local computer users.

    The method used to import the squid.der file into a browser depends on the type of browser.

  7. Configure the permissions to use a self-signed certificate file. To do so, run the following commands depending on the utilized operating system:
    • CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:

      chown squid:squid squidCA.pem

      chmod 400 squidCA.pem

    • Ubuntu or Debian:

      chown proxy:proxy squidCA.pem

      chmod 400 squidCA.pem

  8. Create a folder for future certificates. To do so, run the following commands depending on the utilized operating system:
    • CentOS or Red Hat Enterprise Linux:

      mkdir -p /var/lib/squid

      /usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

      chown -R squid:squid /var/lib/squid

    • Ubuntu:

      mkdir -p /var/lib/squid

      /usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

      chown -R proxy:proxy /var/lib/squid

    • SUSE Linux Enterprise Server:

      mkdir -p /var/lib/squid

      /usr/sbin/ssl_crtd -c -s /var/lib/squid/ssl_db

      chown -R squid:squid /var/lib/squid

    • In Debian, the Squid service does not support SSL Bumping by default. If the Squid service was compiled with enabled SSL Bumping support, you must create a directory for future certificates:

      mkdir -p /var/lib/squid

      <path specified at compilation time>/ssl_crtd -c -s /var/lib/squid/ssl_db

      chown -R <user specified at compilation time>:<group specified at compilation time> /var/lib/squid

  9. Change the settings of the Squid service. To do so, in the /etc/squid/squid.conf file:
    1. Replace http_port 3128 with http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem.
    2. Add the following lines to the end of the file:
      • CentOS or Red Hat Enterprise Linux:

        sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error deny all

      • Ubuntu:

        sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error deny all

      • SUSE Linux Enterprise Server:

        sslcrtd_program /usr/sbin/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error deny all

      • Debian (if the Squid service was compiled with enabled SSL Bumping support):

        sslcrtd_program <path specified at compilation time>/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error deny all

    3. If you want to exclude trusted domain certificates from checking, add the following lines:
      • CentOS or Red Hat Enterprise Linux:

        sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        acl BrokenButTrustedServers dstdomain <example.com>

        sslproxy_cert_error allow BrokenButTrustedServers

        sslproxy_cert_error deny all

      • Ubuntu:

        sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        acl BrokenButTrustedServers dstdomain <example.com>

        sslproxy_cert_error allow BrokenButTrustedServers

        sslproxy_cert_error deny all

      • SUSE Linux Enterprise Server:

        sslcrtd_program /usr/sbin/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        acl BrokenButTrustedServers dstdomain <example.com>

        sslproxy_cert_error allow BrokenButTrustedServers

        sslproxy_cert_error deny all

      • Debian (if the Squid service was compiled with enabled SSL Bumping support):

        sslcrtd_program <path specified at compilation time>/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        acl BrokenButTrustedServers dstdomain <example.com>

        sslproxy_cert_error allow BrokenButTrustedServers

        sslproxy_cert_error deny all

    4. If you want to disable checking of certificates for all domains, add the following lines:
      • CentOS or Red Hat Enterprise Linux:

        sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error allow all

        sslproxy_flags DONT_VERIFY_PEER

      • Ubuntu:

        sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error allow all

        sslproxy_flags DONT_VERIFY_PEER

      • SUSE Linux Enterprise Server:

        sslcrtd_program /usr/sbin/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error allow all

        sslproxy_flags DONT_VERIFY_PEER

      • Debian (if the Squid service was compiled with enabled SSL Bumping support):

        sslcrtd_program <path depends on compilation settings>/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

        sslcrtd_children 5

        ssl_bump server-first all

        sslproxy_cert_error allow all

        sslproxy_flags DONT_VERIFY_PEER

  10. Restart the Squid service. To do so, execute the command:

    service squid restart

Configuration of SSL Bumping in the Squid service will be complete.

Page top