Basic Squid SSLBump configuration

To use SSLBump with Squid you need to rebuild Squid with SSL flags enabled as the default debian package does not contain them.

$ sudo apt-get install devscripts build-essential fakeroot libssl-dev

And uncomment the deb-src from main repository as we need to download the source. After that download the squid3 source package and edit the rules file:

$ cd ~
$ apt-get update
$ apt-get source squid3
$ sudo apt-get build-dep squid3

$cd squid3-3.5.12
$sudo nano debian/rules

add to DEB_CONFIGURE_EXTRA_FLAGS

–with-openssl \
–enable-ssl-crtd \

dpkg-buildpackage -rfakeroot -b

dpkg -i *.deb

Squid is now installed, next step is to generate the required self signed certificates:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem

openssl x509 -in myCA.pem -outform DER -out myCA.der

Deploy the generated der file to client browers/devices

But upon starting the Squid service, it died stating that the ssl db directory was not initialized so I used the ssl_crtd from the build directory to initialize it.

sudo /home/manatails/squid/squid3-3.5.12/src/ssl/ssl_crtd -c -s /var/lib/ssl_db

Following is minimalist config file for running squid with SSLBump, self-explanatory.

acl home_ip src 192.168.28.0/24
http_access allow home_ip
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SSlBump1

ssl_bump peek step1
ssl_bump bump all