View Issue Details

IDProjectCategoryView StatusLast Update
0003016Kali LinuxKali Package Improvementpublic2016-02-02 07:49
Reportercarlopmart Assigned Torhertzog  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionwon't fix 
Summary0003016: Add ssl interception to squid
Description

Hi all,

In Kali 2016.1 is not possible to configure ssl interception in squid:

root@kalitst:/etc/squid# squid -k parse
2016/01/25 15:17:36| Startup: Initializing Authentication Schemes ...
2016/01/25 15:17:36| Startup: Initialized Authentication Scheme 'basic'
2016/01/25 15:17:36| Startup: Initialized Authentication Scheme 'digest'
2016/01/25 15:17:36| Startup: Initialized Authentication Scheme 'negotiate'
2016/01/25 15:17:36| Startup: Initialized Authentication Scheme 'ntlm'
2016/01/25 15:17:36| Startup: Initialized Authentication.
2016/01/25 15:17:36| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/01/25 15:17:36| Processing: acl localnet src 172.22.55.0/28
2016/01/25 15:17:36| Processing: acl localnet src 172.22.58.0/29
2016/01/25 15:17:36| Processing: acl SSL_ports port 443
2016/01/25 15:17:36| Processing: acl Safe_ports port 80 # http
2016/01/25 15:17:36| Processing: acl Safe_ports port 21 # ftp
2016/01/25 15:17:36| Processing: acl Safe_ports port 443 # https
2016/01/25 15:17:36| Processing: acl Safe_ports port 70 # gopher
2016/01/25 15:17:36| Processing: acl Safe_ports port 210 # wais
2016/01/25 15:17:36| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2016/01/25 15:17:36| Processing: acl Safe_ports port 280 # http-mgmt
2016/01/25 15:17:36| Processing: acl Safe_ports port 488 # gss-http
2016/01/25 15:17:36| Processing: acl Safe_ports port 591 # filemaker
2016/01/25 15:17:36| Processing: acl Safe_ports port 777 # multiling http
2016/01/25 15:17:36| Processing: acl CONNECT method CONNECT
2016/01/25 15:17:36| Processing: acl purge method PURGE
2016/01/25 15:17:36| Processing: http_access deny !Safe_ports
2016/01/25 15:17:36| Processing: http_access deny CONNECT !SSL_ports
2016/01/25 15:17:36| Processing: http_access allow localhost manager
2016/01/25 15:17:36| Processing: http_access deny manager
2016/01/25 15:17:36| Processing: http_access allow purge localhost
2016/01/25 15:17:36| Processing: http_access deny purge
2016/01/25 15:17:36| Processing: http_access deny to_localhost
2016/01/25 15:17:36| Processing: http_access allow localnet
2016/01/25 15:17:36| Processing: http_access allow localhost
2016/01/25 15:17:36| Processing: http_access deny all
2016/01/25 15:17:36| Processing: http_port 8079
2016/01/25 15:17:36| Processing: http_port 8080 intercept
2016/01/25 15:17:36| Starting Authentication on port [::]:8080
2016/01/25 15:17:36| Disabling Authentication on port [::]:8080 (interception enabled)
2016/01/25 15:17:36| Processing: https_port 8081 ssl-bump intercept cert=/etc/squid/test.cert key=/etc/squid/test.private generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
2016/01/25 15:17:36| ERROR: 'https_port' requires --with-openssl
2016/01/25 15:17:36| Processing: coredump_dir /var/spool/squid
2016/01/25 15:17:36| Processing: refresh_pattern ^ftp: 1440 20% 10080
2016/01/25 15:17:36| Processing: refresh_pattern ^gopher: 1440 0% 1440
2016/01/25 15:17:36| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2016/01/25 15:17:36| Processing: refresh_pattern . 0 20% 4320
2016/01/25 15:17:36| Processing: forwarded_for off
2016/01/25 15:17:36| Processing: request_header_access Allow allow all
2016/01/25 15:17:36| Processing: request_header_access Authorization allow all
2016/01/25 15:17:36| Processing: request_header_access WWW-Authenticate allow all
2016/01/25 15:17:36| Processing: request_header_access Proxy-Authorization allow all
2016/01/25 15:17:36| Processing: request_header_access Proxy-Authenticate allow all
2016/01/25 15:17:36| Processing: request_header_access Cache-Control allow all
2016/01/25 15:17:36| Processing: request_header_access Content-Encoding allow all
2016/01/25 15:17:36| Processing: request_header_access Content-Length allow all
2016/01/25 15:17:36| Processing: request_header_access Content-Type allow all
2016/01/25 15:17:36| Processing: request_header_access Date allow all
2016/01/25 15:17:36| Processing: request_header_access Expires allow all
2016/01/25 15:17:36| Processing: request_header_access Host allow all
2016/01/25 15:17:36| Processing: request_header_access If-Modified-Since allow all
2016/01/25 15:17:36| Processing: request_header_access Last-Modified allow all
2016/01/25 15:17:36| Processing: request_header_access Location allow all
2016/01/25 15:17:36| Processing: request_header_access Pragma allow all
2016/01/25 15:17:36| Processing: request_header_access Accept allow all
2016/01/25 15:17:36| Processing: request_header_access Accept-Charset allow all
2016/01/25 15:17:36| Processing: request_header_access Accept-Encoding allow all
2016/01/25 15:17:36| Processing: request_header_access Accept-Language allow all
2016/01/25 15:17:36| Processing: request_header_access Content-Language allow all
2016/01/25 15:17:36| Processing: request_header_access Mime-Version allow all
2016/01/25 15:17:36| Processing: request_header_access Retry-After allow all
2016/01/25 15:17:36| Processing: request_header_access Title allow all
2016/01/25 15:17:36| Processing: request_header_access Connection allow all
2016/01/25 15:17:36| Processing: request_header_access Proxy-Connection allow all
2016/01/25 15:17:36| Processing: request_header_access User-Agent allow all
2016/01/25 15:17:36| Processing: request_header_access Cookie allow all
2016/01/25 15:17:36| Processing: request_header_access All deny all
2016/01/25 15:17:36| Processing: shutdown_lifetime 5 seconds
2016/01/25 15:17:36| Processing: ssl_bump stare all
2016/01/25 15:17:36| ERROR: 'ssl_bump' requires --with-openssl
2016/01/25 15:17:36| Processing: ssl_bump bump all
2016/01/25 15:17:36| ERROR: 'ssl_bump' requires --with-openssl

As you can see, squid needs to be compiled "--with-openssl" option.

Thanks.

Steps To Reproduce

Add "https_port" with interception+sslbump.

Activities

carlopmart

carlopmart

2016-01-25 16:05

reporter   ~0004604

To complete the info: to make it work more smoothly, squid needs to compiled with these options: "--enable-ssl-crtd --with-openssl"

carlopmart

carlopmart

2016-02-01 16:51

reporter   ~0004651

Any news about this?

rhertzog

rhertzog

2016-02-02 07:49

administrator   ~0004652

Hello, we use squid unmodified from Debian so that issue must be brought to Debian. Someone else already did: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=811014

Try to convince the Debian maintainer that this change is a good one. I sent a message to ask for details on the implications of that change.

Issue History

Date Modified Username Field Change
2016-01-25 15:36 carlopmart New Issue
2016-01-25 16:05 carlopmart Note Added: 0004604
2016-02-01 16:51 carlopmart Note Added: 0004651
2016-02-02 07:49 rhertzog Note Added: 0004652
2016-02-02 07:49 rhertzog Status new => closed
2016-02-02 07:49 rhertzog Assigned To => rhertzog
2016-02-02 07:49 rhertzog Resolution open => won't fix