search

diladele / squid-windows

Squid Proxy built for Microsoft Windows
GNU General Public License v2.0
188 stars 40 forks source link

Squid on Windows - ssl_bump not working #64

Closed shikarishambu closed 7 years ago

shikarishambu commented 8 years ago

I keep seeing the following in the logs

unintialized /var/run/squid/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/run/squid/lib/ssl_db"

when I run the said command I get D:\apps\server\squid\lib\squid>ssl_crtd -c -s /var/run/squid/lib/ssl_db Initialization SSL db... ssl_crtd: Cannot create /var/run/squid/lib/ssl_db

I have tried giving the full path d:/app/server/squid/var/run/squid/lib/ssl_db

My config for ssl_bump looks as follows

http_port 3128

always_direct allow all ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER

http_port 3128 ssl-bump cert=D:/apps/openssl/proxy.stepsolutions.com.cert key=D:/apps/openssl/proxy.stepsolutions.com.private generate-host-certificates=on options=NO_SSLv2

Please help

ra-at-diladele-com commented 8 years ago

If I am not mistaken all commands should be run from squid's cygwin prompt using shortcut on your desktop the installer made. All paths must begin with /cygdrive/ like in http://docs.diladele.com/faq/squid/cache_squid_windows.html

stylemessiah commented 7 years ago

Realise this is old, but adding for fyi anyways

Considering the line in your squid.conf (yours may have a different path):

sslcrtd_program /cygdrive/e/Squid/lib/squid/ssl_crtd -s /cygdrive/e/Squid/var/cache/squid_ssldb -M 4MB -b 2048

(note: my squid is on drive E, and i may have altered the switches at the end for my own needs)

The correct command in Squid Console is:

ssl_crtd -c -s <drive letter>:/Squid/var/cache/squid_ssldb/

Note: If there is an existing folder named squid_ssldb at <drive letter>:/Squid/var/cache/then you will get an error, and you will need to remove it first and then run the above command - it wont let you overwrite the existing squid_ssldb folder.

you should also consider changing to, or adding these options:

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

The line:

sslproxy_flags DONT_VERIFY_PEER

Should ideally never be used, and as an absolute last resort for a site who certificate generates an error, and id be suspicious of any such site

ea-at-diladele-com commented 7 years ago

I would recommend switching to docker on windows 10 https://hub.docker.com/r/diladele/websafety/

The tutorials can be found here: https://docs.diladele.com/docker/docker_windows_10/index.html https://docs.diladele.com/docker/docker_windows/index.html

This should be a fully functional squid, without IO issues of cygwin