tl;dr:
- Create a CA cert, key, etc.
- Build openssl 1.1.1.c with ssl2 and ssl3
- Configure squid as SSL bump
- preload above ssl library and run squid
- Import the CA cert into your browser
Build openssl 1.1.1.c with:
<code>
no-idea no-mdc2 no-rc5 no-zlib enable-ssl3 enable-unit-test enable-ssl3-method enable-rfc3779 enable-cms enable-ssl2
</code>
Then configure squid to act as SSL bump:
<code>
--- /etc/squid/squid.conf.orig 2019-07-24 10:33:25.000000000 -0700
+++ /etc/squid/squid.conf 2019-11-03 09:30:34.371013823 -0800
@@ -1377,6 +1487,7 @@
#Default:
# Deny, unless rules exist in squid.conf.
#
+http_access allow localnet
#
# Recommended minimum Access Permission configuration:
@@ -1904,7 +2015,13 @@
#
# Squid normally listens to port 3128
-http_port 3128
+http_port 3128 ssl-bump \
- cert=/etc/squid/certs/squid-ca-cert-key.pem \
- generate-host-certificates=on dynamic_cert_mem_cache_size=16MB \
- cipher=ALL
+https_port 3129 intercept ssl-bump \
- cert=/etc/squid/certs/squid-ca-cert-key.pem \
- generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
# TAG: https_port
# Usage: [ip:]port [mode] tls-cert=certificate.pem [options]
@@ -2539,11 +2636,15 @@
# ssl_bump bump all
#Default:
# Become a TCP tunnel without decrypting proxied traffic.
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
+ssl_bump splice all
@@ -2690,12 +2776,12 @@
# For more information use:
# /usr/lib/squid/security_file_certgen -h
#Default:
-# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 16MB
</code>
And finally run squid with the new ssl lib:
<code>
--- /tmp/etc/init.d/squid 2019-07-24 10:33:25.000000000 -0700
+++ /etc/init.d/squid 2019-10-16 19:11:19.407420861 -0700
@@ -23,6 +23,7 @@
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"
+SSL_PRELOAD="LD_PRELOAD=/usr/src/openssl-1.1.1c/build_shared/libssl.so.1.1 "
[ ! -f /etc/default/squid ] || . /etc/default/squid
@@ -91,7 +92,7 @@
if test -d "$cache_dir" -a ! -d "$cache_dir/00"
then
log_warning_msg "Creating $DESC cache structure"
- $DAEMON -z -f $CONFIG
+ $SSL_PRELOAD $DAEMON -z -f $CONFIG
[ -x /sbin/restorecon ] && restorecon -R $cache_dir
fi
</code>