Configuring SSL Bumping in the Squid service

It is recommended to configure SSL Bumping in the Squid service to handle encrypted connections. If SSL Bumping is not configured, the proxy server cannot intervene in the process of establishing an encrypted connection. In this case, the protection modules of Kaspersky Web Traffic Security (Anti-Virus and Anti-Phishing) are unable to scan data transmitted inside the encrypted data channel. This reduces the level of protection of the corporate IT infrastructure.

SSL Bumping requires an SSL certificate and a private key in PEM format. You can create a new self-signed SSL certificate or use a prepared one (for example, an SSL certificate issued by a Certificate Authority).

If the private key is password protected, it needs to be decrypted in advance.

To configure SSL Bumping in the Squid service:

  1. Make sure that the utilized Squid service supports the necessary options. To do so, execute the command:

    squid -v

    The configure options parameter must contain the --enable-ssl-crtd and --with-openssl values.

  2. Copy the SSL certificate in PEM format into the file /etc/squid/bump.crt.
  3. Copy the private key in PEM format into the file /etc/squid/bump.key.
  4. Generate the settings file for the Diffie-Hellman algorithm. To do so, execute the command:

    openssl dhparam -outform PEM -out /etc/squid/bump_dhparam.pem 2048

  5. Configure the permissions for using an SSL certificate file. To do so, run the following commands depending on the utilized operating system:
    • CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:

      chown squid:squid /etc/squid/bump*

      chmod 400 /etc/squid/bump*

    • Ubuntu or Debian:

      chown proxy:proxy /etc/squid/bump*

      chmod 400 /etc/squid/bump*

  6. Determine the version of the Squid service being used on your server. To do so, execute the command:

    squid -v

    Information about the utilized version is displayed in the format Squid Cache: Version <version>.

  7. Stop the Squid service if it is running. To do so, execute the command:

    service squid stop

  8. If you are using version 3.5.x of the Squid service:
    1. Create a directory for the certificate database and initialize the database. To do so, run the following commands depending on the utilized operating system:
      • CentOS or Red Hat Enterprise Linux:

        mkdir -p /var/lib/squid

        rm -rf /var/lib/squid/ssl_db

        /usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

        chown -R squid:squid /var/lib/squid

      • SUSE Linux Enterprise Server:

        mkdir -p /var/lib/squid

        rm -rf /var/lib/squid/ssl_db

        /usr/sbin/ssl_crtd -c -s /var/lib/squid/ssl_db

        chown -R squid:squid /var/lib/squid

      • Ubuntu or Debian:

        mkdir -p /var/lib/squid

        rm -rf /var/lib/squid/ssl_db

        /usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

        chown -R proxy:proxy:<группа> /var/lib/squid

    2. In the /etc/squid/squid.conf configuration file, make the following changes:
      1. At the end of the file, add the following directives depending on the utilized operating system:
        • CentOS or Red Hat Enterprise Linux:

        sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 20MB

        sslproxy_cert_error allow all

        ssl_bump stare all

        • SUSE Linux Enterprise Server:

        sslcrtd_program /usr/sbin/ssl_crtd -s /var/lib/squid/ssl_db -M 20MB

        sslproxy_cert_error allow all

        ssl_bump stare all

        • Ubuntu or Debian:

        sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 20MB

        sslproxy_cert_error allow all

        ssl_bump stare all

      2. Replace the http_port directive with the following:

        http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/bump.crt key=/etc/squid/bump.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem

  9. If you are using version 4.x of the Squid service:
    1. Create a directory for the certificate database and initialize the database. To do so, run the following commands depending on the utilized operating system:
      • CentOS or Red Hat Enterprise Linux:

        mkdir -p /var/lib/squid

        rm -rf /var/lib/squid/ssl_db

        /usr/lib64/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB

        chown -R squid:squid /var/lib/squid

      • SUSE Linux Enterprise Server:

        mkdir -p /var/lib/squid

        rm -rf /var/lib/squid/ssl_db

        /usr/sbin/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB

        chown -R squid:squid /var/lib/squid

      • Ubuntu or Debian:

        mkdir -p /var/lib/squid

        rm -rf /var/lib/squid/ssl_db

        /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB

        chown -R proxy:proxy /var/lib/squid

    2. In the /etc/squid/squid.conf configuration file, make the following changes:
      1. Add the following directives to the beginning of the file or before the first http_access directive:

        acl intermediate_fetching transaction_initiator certificate-fetching

        http_access allow intermediate_fetching

      2. Add the following directives to the end of the file depending on the utilized operating system:
        • CentOS or Red Hat Enterprise Linux:

        sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB

        sslproxy_cert_error allow all

        ssl_bump stare all

        • SUSE Linux Enterprise Server:

        sslcrtd_program /usr/sbin/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB

        sslproxy_cert_error allow all

        ssl_bump stare all

        • Ubuntu or Debian:

        sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB

        sslproxy_cert_error allow all

        ssl_bump stare all

      3. Replace the http_port directive with the following:

        http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem

  10. Restart the Squid service. To do so, execute the command:

    service squid restart

Configuration of SSL Bumping in the Squid service will be complete.

Page top