HTTPS Proxy test with Squid

10
HTTPS Proxy test with Squid I am looking into security try to understand how HTTPS with a Proxy works. I use squid as Proxy and site I connect to is ebay.com , my Test Client is Apple Mac and Google Chrome as browser . I do 3 scenarios A) Connect with out a https proxy B) Connect with https Proxy as man in the middle , squid bump mode C) Connect with https pass through proxy For scenario B, I create a self signed certificate “allwaysbeginner.com" for squid and distributed is as well to my Mac as trusted certificate ( Details how to do this will be in a extra Blog) A) Lets start off connect to Ebay without a proxy and check the certificates. Here you see chrome connecting to Ebay and the certificate is from Ebay and issued by Digicert. All perfect like expected. manfredbuchmann@Manfreds-MBP-3 ~ % openssl s_client -connect www.ebay.com:https CONNECTED(00000005)

Transcript of HTTPS Proxy test with Squid

Page 1: HTTPS Proxy test with Squid

HTTPS Proxy test with Squid

I am looking into security try to understand how HTTPS with a Proxy works. I use squid as Proxy and site I connect to is ebay.com , my Test Client is Apple Mac and Google Chrome as browser .

I do 3 scenarios

A) Connect with out a https proxy B) Connect with https Proxy as man in the middle , squid bump mode C) Connect with https pass through proxy

For scenario B, I create a self signed certificate “allwaysbeginner.com" for squid and distributed is as well to my Mac as trusted certificate ( Details how to do this will be in a extra Blog)

A) Lets start off connect to Ebay without a proxy and check the certificates.

Here you see chrome connecting to Ebay and the certificate is from Ebay and issued by Digicert. All perfect like expected.

manfredbuchmann@Manfreds-MBP-3 ~ % openssl s_client -connect www.ebay.com:https CONNECTED(00000005)

http://ebay.com
http://allwaysbeginner.com
Page 2: HTTPS Proxy test with Squid

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = US, ST = California, L = San Jose, O = "eBay, Inc.", CN = www.ebay.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIILnDCCCoSgAwIBAgIQB9CcetNYfU4x1iX9/p7PTDANBgkqhkiG9w0BAQsFADBP MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAxMDUwMDAwMDBa Fw0yMzAxMDUyMzU5NTlaMGExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y bmlhMREwDwYDVQQHEwhTYW4gSm9zZTETMBEGA1UEChMKZUJheSwgSW5jLjEVMBMG A1UEAxMMd3d3LmViYXkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAz+4shkdh4XX0T1JlBJNwRMZSIkeqgTBN5uF+zaHs3vsljlP0lHnyWWRjUKV9 bqWiQW3haHP2X//TFWuriMf7owOHl9JADcxxsLlBGvXRNXkRXBBotHmQIdBc9WGh a8aNH+kVhWfTo3raPsjMSpYt1hrUeF660bv0tVHlD2eQEjvTdpsk5fGVKC2kMrT/ 3xBJsy7mOJIvOseH6zfrM1jRQV8iGFqHruxrlnahRtfAI/9Gc5OFTanfcqIbo9+Y PlL0VL5zWeEx+2FJYIjEJ7AmAqUHfXE6OW+KAdHHSqDx0vbqPBfAqD3Iv05fUgbh enfmb6t8Rmf3Qa+fr8boYDFczQIDAQABo4IIYDCCCFwwHwYDVR0jBBgwFoAUt2ui 6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFNyjScrOt97sOPc5eeESWQ+aaTei MIIFBAYDVR0RBIIE+zCCBPeCFmluY2x1ZGUuZWJheXN0YXRpYy5jb22CGWFrYW1h aS1zdGF0aWMuZWJheWNkbi5uZXSCEmFrYW1haS5lYmF5Y2RuLm5ldIIQYW55d2hl cmUuZWJheS5hdIIQYW55d2hlcmUuZWJheS5iZYIQYW55d2hlcmUuZWJheS5jYYIQ YW55d2hlcmUuZWJheS5jaIIRYW55d2hlcmUuZWJheS5jb22CFGFueXdoZXJlLmVi YXkuY29tLmhrghRhbnl3aGVyZS5lYmF5LmNvbS5zZ4IQYW55d2hlcmUuZWJheS5l c4IQYW55d2hlcmUuZWJheS5pZYIQYW55d2hlcmUuZWJheS5pboIQYW55d2hlcmUu ZWJheS5pdIIQYW55d2hlcmUuZWJheS5ubIIQYW55d2hlcmUuZWJheS5wbIIYYXBh Y3NoaXBwaW5nLmViYXkuY29tLmhrghlhcGFjc2hpcHBpbmd0b29sLmViYXkuY29t ghZjZG4uZWJheW1haW5zdHJlZXQuY29tghlmdW5kaW5naW5zdHJ1bWVudC5lYmF5 LmRlghFnaC5lYmF5c3RhdGljLmNvbYINaS5lYmF5aW1nLmNvbYIVaWRlbnRpdHkt YXBpLmViYXkuY29tgg1tLmViYXkuY29tLmF1ggltLmViYXkuZGWCCW0uZWJheS5m coIJbS5lYmF5Lml0ghByb3Zlci5lYmF5LmNvLnVrgg5yb3Zlci5lYmF5LmNvbYIR cm92ZXIuZWJheS5jb20uYXWCDXJvdmVyLmViYXkuZGWCDXJvdmVyLmViYXkuZnKC DXJvdmVyLmViYXkuaW6CDXJvdmVyLmViYXkuaXSCHHNlY3VyZWluY2x1ZGUuZWJh eXN0YXRpYy5jb22CF3NlY3VyZWlyLmViYXlzdGF0aWMuY29tgh9zZWN1cmVpci5z YW5kYm94LmViYXlzdGF0aWMuY29tghlzZWN1cmVwaWNzLmViYXlzdGF0aWMuY29t ghRzaGlwcGluZ3Rvb2wuZWJheS5jboIMc29mZS5lYmF5LmF0gg9zb2ZlLmViYXku Y28udWuCDXNvZmUuZWJheS5jb22CEHNvZmUuZWJheS5jb20uYXWCDHNvZmUuZWJh eS5kZYIMc29mZS5lYmF5LmZyggxzb2ZlLmViYXkuaW6CDHNvZmUuZWJheS5pdIIV c29mZS5leHByZXNzLmViYXkuY29tghJzcnYuYXUuZWJheXJ0bS5jb22CEnNydi5k ZS5lYmF5cnRtLmNvbYISc3J2LmZyLmViYXlydG0uY29tghJzcnYuaW4uZWJheXJ0 bS5jb22CEnNydi5pdC5lYmF5cnRtLmNvbYIUc3J2Lm1haW4uZWJheXJ0bS5jb22C EnNydi51ay5lYmF5cnRtLmNvbYIQc3J3c3Zjcy5lYmF5LmNvbYINc3Zjcy5lYmF5 LmNvbYISdWNwc3RhdGljLmViYXkuY29tggx3d3cuZWJheS5jb22CE2ltYWdlLmVk cG4uZWJheS5jb22CEGluZm8uZWJheWluYy5jb22CDG0uZWJheS5jby51a4IKbS5l YmF5LmNvbYIPaGNwdGpzLmViYXkuY29tghNoY3B0YXNzZXRzLmViYXkuY29tghFo Y3B0aW1ncy5lYmF5LmNvbYIWaGNwdHJlcG9ydGFwaS5lYmF5LmNvbTAOBgNVHQ8B Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGPBgNVHR8E gYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRM U1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwPgYDVR0g BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy dC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdp Y2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1Ud EwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AK33vvp8/xDIi509

Page 3: HTTPS Proxy test with Squid

nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABfiyisuwAAAQDAEgwRgIhAMTZgYBExYPS +5wtGrKFHh5yh2b6Vxn9cSCiuOS02DrzAiEA3KpfsVK3ph+5F9uAPbSmhxuFbt4V imtRba+JyqhKbAMAdwA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAA AX4sorLAAAAEAwBIMEYCIQCidIL2mD0VPNVXenDci7FfM29QpO+e/i4rfptZiPkx sAIhAKUrMdMzr3ZPYBb863Jdc8Dhi6PvWFi0P6cxPP9JfiRZAHYAs3N3B+GEUPhj htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF+LKKy3QAABAMARzBFAiAKbSALa/Un UN0gKhfUIAPZkL+sv6gs7gbGWf037PMhIgIhAMrCjtYaqti12eTCxm70qfDCigUr ovvdaonmnX1HqrR2MA0GCSqGSIb3DQEBCwUAA4IBAQA/ihxsXOR3UiVYs7Mlp13o nlcopnzCegNcvKtGroiZ3xPrk4CkW9ueq/+ghVKSvMO/5nO0pkdPFlupkJixUvob +30QYFyCtS1sTWqIBtzIIwlT351LZW8PeIg5lG2E3q5Ppz1BaHZs7Y9Vis3PgEd/ 3Rcecxsfavs58iPQWnBRqeeIyyUEnpC2pptq7flfZYdqDam5SfUSWo2mhmlrD0mk xW+BEvdOA288e0fUPXxSL9+1iGCN4HBjnLrNDogL/xsWinhlLZl3UjmEvkmY6VIn DM5L8F6K8lIrp64hiZyRYlm6jE5RSqLVZBpXrYkuu/BViXYeQrNE2uC9tCpO7CNd -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 --- No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4843 bytes and written 314 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: CA5F223E54A7F3C9C1E8A811A4969D57106C22A873B902D96C7C1B303A1C6D84 Session-ID-ctx: Master-Key: D838A29E64103C213E7A1EC7D1D9B2D4617D7AC47CAE64092B09D70732B0C3299F54A03DF1175593D8E24C46C8FC9EA8 TLS session ticket lifetime hint: 83100 (seconds) TLS session ticket: 0000 - 00 00 24 d4 01 4a c8 a4-bb a3 37 6e 7e 0a 95 2f ..$..J....7n~../ 0010 - 0a d6 e4 12 6d de 60 b1-87 27 18 9a 7f 73 33 cd ....m.`..'...s3. 0020 - c5 55 50 97 5e 94 69 45-7f eb 10 ed 0a bb 4f 78 .UP.^.iE......Ox 0030 - 15 27 76 8c fb 95 4b fb-e9 69 58 1f 18 5c e4 ff .'v...K..iX..\.. 0040 - aa bd 65 9b e4 f2 64 b8-cc 9b 41 34 12 02 5e 5b ..e...d...A4..^[ 0050 - bb 2d d9 2a 06 bd 29 f5-59 f1 23 b4 f7 08 d6 a9 .-.*..).Y.#..... 0060 - 0f de c2 5e 73 6c 6e 0a-ec 36 73 d8 62 1f 1b 25 ...^sln..6s.b..% 0070 - a4 9b 72 cf 99 a6 af aa-bd 7c 1e b2 ef 58 86 83 ..r......|...X.. 0080 - dd 28 78 0e 31 95 c1 8c-95 9a bb 70 02 54 5d 0b .(x.1......p.T]. 0090 - ef 5a 15 cc 83 35 12 10-10 13 f0 3e 54 aa 4a 48 .Z...5.....>T.JH

Start Time: 1641567733 Timeout : 7200 (sec) Verify return code: 0 (ok) --- closed

————————————————————————————

Page 4: HTTPS Proxy test with Squid

Squid use as https proxy in with ssl_bump Mode, Proxy as Man in the middle.

Does the certificate for Ebay look different ?

The subject name is still Ebay but the certificate issuer is allwaysbeginner.com, which is the certificate of the proxy server here I uploaded the allwaysbeginner.com certificate which I created. I as well uploaded this certificate to my local Machine (my Mac) as a trusted cert, that is why Chrome below don’t see a security issue.

Connecting to ebay with Chrome on Mac leverage the Proxy

http://allwaysbeginner.com
http://allwaysbeginner.com
Page 5: HTTPS Proxy test with Squid

How does the Certificate look ? Check the connection with openssl s_client:

manfredbuchmann@Manfreds-MBP-3 ~ % openssl s_client -proxy 192.168.178.94:3128 -connect www.ebay.com:https

CONNECTED(00000003) depth=1 C = DE, ST = BadenWuertemberg, L = Salem, O = allwaysbeginner, CN = allwaysbeginner, emailAddress = [email protected] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com i:/C=DE/ST=BadenWuertemberg/L=Salem/O=allwaysbeginner/CN=allwaysbeginner/[email protected] 1 s:/C=DE/ST=BadenWuertemberg/L=Salem/O=allwaysbeginner/CN=allwaysbeginner/[email protected] i:/C=DE/ST=BadenWuertemberg/L=Salem/O=allwaysbeginner/CN=allwaysbeginner/[email protected] 2 s:/C=DE/ST=BadenWuertemberg/L=Salem/O=allwaysbeginner/CN=allwaysbeginner/[email protected] i:/C=DE/ST=BadenWuertemberg/L=Salem/O=allwaysbeginner/CN=allwaysbeginner/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIII7zCCB9egAwIBAgIUNJM5UWEIyygwZKKSqe6EulZ1yhAwDQYJKoZIhvcNAQEL BQAwgZMxCzAJBgNVBAYTAkRFMRkwFwYDVQQIDBBCYWRlbld1ZXJ0ZW1iZXJnMQ4w DAYDVQQHDAVTYWxlbTEYMBYGA1UECgwPYWxsd2F5c2JlZ2lubmVyMRgwFgYDVQQD DA9hbGx3YXlzYmVnaW5uZXIxJTAjBgkqhkiG9w0BCQEWFm1iQGFsbHdheXNiZWdp bm5lci5jb20wHhcNMjIwMTA1MDAwMDAwWhcNMjMwMTA1MjM1OTU5WjBhMQswCQYD VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux EzARBgNVBAoTCmVCYXksIEluYy4xFTATBgNVBAMTDHd3dy5lYmF5LmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5lMEYiMvwdjSR9UBwCgnrTZoWe kk2/5U7Ko0jdV+PcNgPGRh5kRr7f20vUiMKW5I+Zp4bCRa30J/EU4UHi3CSvVvcg L2FYpvpAA/fjuBYjU+EthJafjoZ2velo5NtPb+CVd+wPvXX9PmQa/KbhoWeZa1dk Ik/BnjRwmBFi06yN+Z5vJJIs2jLv2+lPeYt8n4JWTYP9ZJIarnTltHn+AdeCIqc+ d3iRHrL58Hu0IIIgpCpAqNqTXoj3NIgPcFYdgs1IslY4VCZezYa4WdK4xJWcU/bS ZwGf0QMcUww/roddYRAdChLqwzAT3e+PBkgqYmqupCkclV3lYRxlecVbzkMCAwEA AaOCBWowggVmMIIFBAYDVR0RBIIE+zCCBPeCFmluY2x1ZGUuZWJheXN0YXRpYy5j b22CGWFrYW1haS1zdGF0aWMuZWJheWNkbi5uZXSCEmFrYW1haS5lYmF5Y2RuLm5l dIIQYW55d2hlcmUuZWJheS5hdIIQYW55d2hlcmUuZWJheS5iZYIQYW55d2hlcmUu ZWJheS5jYYIQYW55d2hlcmUuZWJheS5jaIIRYW55d2hlcmUuZWJheS5jb22CFGFu eXdoZXJlLmViYXkuY29tLmhrghRhbnl3aGVyZS5lYmF5LmNvbS5zZ4IQYW55d2hl cmUuZWJheS5lc4IQYW55d2hlcmUuZWJheS5pZYIQYW55d2hlcmUuZWJheS5pboIQ YW55d2hlcmUuZWJheS5pdIIQYW55d2hlcmUuZWJheS5ubIIQYW55d2hlcmUuZWJh eS5wbIIYYXBhY3NoaXBwaW5nLmViYXkuY29tLmhrghlhcGFjc2hpcHBpbmd0b29s LmViYXkuY29tghZjZG4uZWJheW1haW5zdHJlZXQuY29tghlmdW5kaW5naW5zdHJ1 bWVudC5lYmF5LmRlghFnaC5lYmF5c3RhdGljLmNvbYINaS5lYmF5aW1nLmNvbYIV aWRlbnRpdHktYXBpLmViYXkuY29tgg1tLmViYXkuY29tLmF1ggltLmViYXkuZGWC CW0uZWJheS5mcoIJbS5lYmF5Lml0ghByb3Zlci5lYmF5LmNvLnVrgg5yb3Zlci5l YmF5LmNvbYIRcm92ZXIuZWJheS5jb20uYXWCDXJvdmVyLmViYXkuZGWCDXJvdmVy LmViYXkuZnKCDXJvdmVyLmViYXkuaW6CDXJvdmVyLmViYXkuaXSCHHNlY3VyZWlu Y2x1ZGUuZWJheXN0YXRpYy5jb22CF3NlY3VyZWlyLmViYXlzdGF0aWMuY29tgh9z ZWN1cmVpci5zYW5kYm94LmViYXlzdGF0aWMuY29tghlzZWN1cmVwaWNzLmViYXlz dGF0aWMuY29tghRzaGlwcGluZ3Rvb2wuZWJheS5jboIMc29mZS5lYmF5LmF0gg9z b2ZlLmViYXkuY28udWuCDXNvZmUuZWJheS5jb22CEHNvZmUuZWJheS5jb20uYXWC DHNvZmUuZWJheS5kZYIMc29mZS5lYmF5LmZyggxzb2ZlLmViYXkuaW6CDHNvZmUu ZWJheS5pdIIVc29mZS5leHByZXNzLmViYXkuY29tghJzcnYuYXUuZWJheXJ0bS5j b22CEnNydi5kZS5lYmF5cnRtLmNvbYISc3J2LmZyLmViYXlydG0uY29tghJzcnYu aW4uZWJheXJ0bS5jb22CEnNydi5pdC5lYmF5cnRtLmNvbYIUc3J2Lm1haW4uZWJh eXJ0bS5jb22CEnNydi51ay5lYmF5cnRtLmNvbYIQc3J3c3Zjcy5lYmF5LmNvbYIN c3Zjcy5lYmF5LmNvbYISdWNwc3RhdGljLmViYXkuY29tggx3d3cuZWJheS5jb22C

Page 6: HTTPS Proxy test with Squid

E2ltYWdlLmVkcG4uZWJheS5jb22CEGluZm8uZWJheWluYy5jb22CDG0uZWJheS5j by51a4IKbS5lYmF5LmNvbYIPaGNwdGpzLmViYXkuY29tghNoY3B0YXNzZXRzLmVi YXkuY29tghFoY3B0aW1ncy5lYmF5LmNvbYIWaGNwdHJlcG9ydGFwaS5lYmF5LmNv bTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUBt5/gy88+2vdTk3EUOZPwtr/I/ww DQYJKoZIhvcNAQELBQADggEBAG2vOVE2WnWK2kc36UKYsZiCfej+K6rF3uNtWe4v 3goTF4umRlAn7zOY66Nt4Q3Wh5DEoQX02bmSIc1DaY6hYEvpTKJewGyP7Pdh88lc cVZapdVHlL/J65bwbR+Su5XiBBNd4592PSjUWJNIkP+LuDPbo1Lsx73BX6RCCPO9 f46I3EI4NIYE4f6RdX2eonj9mLfPNAp8mAK9bMe2EACoSSkBpm5XE5ToPXBh/98+ VEb9Yu1hubhDOhBl1/iBsc0hwN+i6MzI55RTgcRaDOeXrDyN5I0SeWtbKlYEOgtF /AJT02FAnGIGddRlpBfDwWEEDm2WrqFNZFHZjH2x1GYYkNk= -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com issuer=/C=DE/ST=BadenWuertemberg/L=Salem/O=allwaysbeginner/CN=allwaysbeginner/[email protected] --- No client certificate CA names sent Server Temp Key: ECDH, X25519, 253 bits --- SSL handshake has read 5023 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: 355E5BF2B53F65752F59F466DFA36DEB27EDE977B83435AF6B68CC03019A5447 Session-ID-ctx: Master-Key: 9C082B7B1DCF0F0CB094CA00F817EA1888C66F60F014067977BE32744FFB072975E88B1AD76CC851916E4317AB3D790F TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - d9 3b 3d dc 63 75 e7 06-6a f1 ac a2 c3 cf 14 75 .;=.cu..j......u 0010 - c1 de c3 5d b7 8c c1 60-b6 6e aa e5 d5 8e d3 d2 ...]...`.n...... 0020 - 8b 51 2e d0 d3 2d ba 6b-2c 42 ff 53 af 5b c6 ec .Q...-.k,B.S.[.. 0030 - 8a df 09 f3 14 af 32 0c-3b bc 8b 60 f6 e4 47 c3 ......2.;..`..G. 0040 - 02 8c 98 fe 3e 43 40 41-f8 5f 35 78 2d 9f d9 82 ....>C@A._5x-... 0050 - 2b 31 8e 1a 93 ac 1f 7c-1d a0 37 ae 09 08 e1 b6 +1.....|..7..... 0060 - 2e e0 43 96 de 87 aa 8e-dd 13 3c b7 57 4d 64 bd ..C.......<.WMd. 0070 - dd 62 9e 21 cd e3 3d 4b-6f 55 4b 27 d3 eb fa 1d .b.!..=KoUK'.... 0080 - 4f 3c 2e be e2 c6 75 b2-7a 74 65 58 98 a0 8e 26 O<....u.zteX...& 0090 - 8a 9d 43 97 9e 0a 76 61-16 37 64 8c 94 58 fc 11 ..C...va.7d..X..

Start Time: 1641567845 Timeout : 7200 (sec) Verify return code: 0 (ok) --- closed manfredbuchmann@Manfreds-MBP-3 ~ %

Squid access log for openssl s_client:

tail -f /var/log/squid/access.log

1641646340.045 66 192.168.178.46 NONE/200 0 CONNECT www.ebay.com:443 - HIER_DIRECT/104.75.89.51 -

Page 7: HTTPS Proxy test with Squid

Squid use as https proxy is in pass through mode

Here is like without a proxy the certificate is Ebay signed by Digicert , all perfect

Squid accesslog for Browser access

tail -f /var/log/squid/access.log

1641647999.050 79574 192.168.178.46 TCP_TUNNEL/200 5514 CONNECT srv.main.ebayrtm.com:443 - HIER_DIRECT/209.140.129.69 - 1641647999.162 111 192.168.178.46 TCP_TUNNEL/200 656 CONNECT src.ebay-us.com:443 - HIER_DIRECT/185.32.241.65 - 1641648000.340 20642 192.168.178.46 TCP_TUNNEL/200 3187 CONNECT www.ebay.com:443 - HIER_DIRECT/104.75.89.51 - 1641648011.833 12774 192.168.178.46 TCP_TUNNEL/200 5818 CONNECT backstory.ebay.com:443 - HIER_DIRECT/64.4.252.22 - 1641648011.945 12860 192.168.178.46 TCP_TUNNEL/200 6336 CONNECT backstory.ebay.com:443 - HIER_DIRECT/64.4.252.22 - 1641648020.509 10071 192.168.178.46 TCP_TUNNEL/200 4448 CONNECT www.google.com:443 - HIER_DIRECT/2a00:1450:4001:80e::2004 -

Page 8: HTTPS Proxy test with Squid

———————————————————————————————————————————

manfredbuchmann@Manfreds-MBP-3 ~ % openssl s_client -proxy 192.168.178.94:3128 -connect www.ebay.com:https CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = US, ST = California, L = San Jose, O = "eBay, Inc.", CN = www.ebay.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIILnDCCCoSgAwIBAgIQB9CcetNYfU4x1iX9/p7PTDANBgkqhkiG9w0BAQsFADBP MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjAxMDUwMDAwMDBa Fw0yMzAxMDUyMzU5NTlaMGExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y bmlhMREwDwYDVQQHEwhTYW4gSm9zZTETMBEGA1UEChMKZUJheSwgSW5jLjEVMBMG A1UEAxMMd3d3LmViYXkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAz+4shkdh4XX0T1JlBJNwRMZSIkeqgTBN5uF+zaHs3vsljlP0lHnyWWRjUKV9 bqWiQW3haHP2X//TFWuriMf7owOHl9JADcxxsLlBGvXRNXkRXBBotHmQIdBc9WGh a8aNH+kVhWfTo3raPsjMSpYt1hrUeF660bv0tVHlD2eQEjvTdpsk5fGVKC2kMrT/ 3xBJsy7mOJIvOseH6zfrM1jRQV8iGFqHruxrlnahRtfAI/9Gc5OFTanfcqIbo9+Y PlL0VL5zWeEx+2FJYIjEJ7AmAqUHfXE6OW+KAdHHSqDx0vbqPBfAqD3Iv05fUgbh enfmb6t8Rmf3Qa+fr8boYDFczQIDAQABo4IIYDCCCFwwHwYDVR0jBBgwFoAUt2ui 6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFNyjScrOt97sOPc5eeESWQ+aaTei MIIFBAYDVR0RBIIE+zCCBPeCFmluY2x1ZGUuZWJheXN0YXRpYy5jb22CGWFrYW1h aS1zdGF0aWMuZWJheWNkbi5uZXSCEmFrYW1haS5lYmF5Y2RuLm5ldIIQYW55d2hl cmUuZWJheS5hdIIQYW55d2hlcmUuZWJheS5iZYIQYW55d2hlcmUuZWJheS5jYYIQ YW55d2hlcmUuZWJheS5jaIIRYW55d2hlcmUuZWJheS5jb22CFGFueXdoZXJlLmVi YXkuY29tLmhrghRhbnl3aGVyZS5lYmF5LmNvbS5zZ4IQYW55d2hlcmUuZWJheS5l c4IQYW55d2hlcmUuZWJheS5pZYIQYW55d2hlcmUuZWJheS5pboIQYW55d2hlcmUu ZWJheS5pdIIQYW55d2hlcmUuZWJheS5ubIIQYW55d2hlcmUuZWJheS5wbIIYYXBh Y3NoaXBwaW5nLmViYXkuY29tLmhrghlhcGFjc2hpcHBpbmd0b29sLmViYXkuY29t ghZjZG4uZWJheW1haW5zdHJlZXQuY29tghlmdW5kaW5naW5zdHJ1bWVudC5lYmF5 LmRlghFnaC5lYmF5c3RhdGljLmNvbYINaS5lYmF5aW1nLmNvbYIVaWRlbnRpdHkt YXBpLmViYXkuY29tgg1tLmViYXkuY29tLmF1ggltLmViYXkuZGWCCW0uZWJheS5m coIJbS5lYmF5Lml0ghByb3Zlci5lYmF5LmNvLnVrgg5yb3Zlci5lYmF5LmNvbYIR cm92ZXIuZWJheS5jb20uYXWCDXJvdmVyLmViYXkuZGWCDXJvdmVyLmViYXkuZnKC DXJvdmVyLmViYXkuaW6CDXJvdmVyLmViYXkuaXSCHHNlY3VyZWluY2x1ZGUuZWJh eXN0YXRpYy5jb22CF3NlY3VyZWlyLmViYXlzdGF0aWMuY29tgh9zZWN1cmVpci5z YW5kYm94LmViYXlzdGF0aWMuY29tghlzZWN1cmVwaWNzLmViYXlzdGF0aWMuY29t ghRzaGlwcGluZ3Rvb2wuZWJheS5jboIMc29mZS5lYmF5LmF0gg9zb2ZlLmViYXku Y28udWuCDXNvZmUuZWJheS5jb22CEHNvZmUuZWJheS5jb20uYXWCDHNvZmUuZWJh eS5kZYIMc29mZS5lYmF5LmZyggxzb2ZlLmViYXkuaW6CDHNvZmUuZWJheS5pdIIV c29mZS5leHByZXNzLmViYXkuY29tghJzcnYuYXUuZWJheXJ0bS5jb22CEnNydi5k ZS5lYmF5cnRtLmNvbYISc3J2LmZyLmViYXlydG0uY29tghJzcnYuaW4uZWJheXJ0 bS5jb22CEnNydi5pdC5lYmF5cnRtLmNvbYIUc3J2Lm1haW4uZWJheXJ0bS5jb22C EnNydi51ay5lYmF5cnRtLmNvbYIQc3J3c3Zjcy5lYmF5LmNvbYINc3Zjcy5lYmF5 LmNvbYISdWNwc3RhdGljLmViYXkuY29tggx3d3cuZWJheS5jb22CE2ltYWdlLmVk cG4uZWJheS5jb22CEGluZm8uZWJheWluYy5jb22CDG0uZWJheS5jby51a4IKbS5l YmF5LmNvbYIPaGNwdGpzLmViYXkuY29tghNoY3B0YXNzZXRzLmViYXkuY29tghFo Y3B0aW1ncy5lYmF5LmNvbYIWaGNwdHJlcG9ydGFwaS5lYmF5LmNvbTAOBgNVHQ8B Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGPBgNVHR8E

Page 9: HTTPS Proxy test with Squid

gYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRM U1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwPgYDVR0g BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy dC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdp Y2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1Ud EwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AK33vvp8/xDIi509 nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABfiyisuwAAAQDAEgwRgIhAMTZgYBExYPS +5wtGrKFHh5yh2b6Vxn9cSCiuOS02DrzAiEA3KpfsVK3ph+5F9uAPbSmhxuFbt4V imtRba+JyqhKbAMAdwA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAA AX4sorLAAAAEAwBIMEYCIQCidIL2mD0VPNVXenDci7FfM29QpO+e/i4rfptZiPkx sAIhAKUrMdMzr3ZPYBb863Jdc8Dhi6PvWFi0P6cxPP9JfiRZAHYAs3N3B+GEUPhj htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF+LKKy3QAABAMARzBFAiAKbSALa/Un UN0gKhfUIAPZkL+sv6gs7gbGWf037PMhIgIhAMrCjtYaqti12eTCxm70qfDCigUr ovvdaonmnX1HqrR2MA0GCSqGSIb3DQEBCwUAA4IBAQA/ihxsXOR3UiVYs7Mlp13o nlcopnzCegNcvKtGroiZ3xPrk4CkW9ueq/+ghVKSvMO/5nO0pkdPFlupkJixUvob +30QYFyCtS1sTWqIBtzIIwlT351LZW8PeIg5lG2E3q5Ppz1BaHZs7Y9Vis3PgEd/ 3Rcecxsfavs58iPQWnBRqeeIyyUEnpC2pptq7flfZYdqDam5SfUSWo2mhmlrD0mk xW+BEvdOA288e0fUPXxSL9+1iGCN4HBjnLrNDogL/xsWinhlLZl3UjmEvkmY6VIn DM5L8F6K8lIrp64hiZyRYlm6jE5RSqLVZBpXrYkuu/BViXYeQrNE2uC9tCpO7CNd -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 --- No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4882 bytes and written 353 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: 2A65215723ED75CBADD12E309E353C2C17C678AFB064B270622612952B4694B1 Session-ID-ctx: Master-Key: 7A8175DAFFE383BA15F715A08762BFFEEAE7C4C93F4A798F798F7B5D41667619DDF4F78ADB4638079BC969638C541E27 TLS session ticket lifetime hint: 83100 (seconds) TLS session ticket: 0000 - 00 00 24 d4 01 4a c8 a4-bb a3 37 6e 7e 0a 95 2f ..$..J....7n~../ 0010 - 52 5a 86 f6 e1 bf db 2f-9b 3e 09 ae 1d 8a 9b 1e RZ...../.>...... 0020 - 51 f5 49 9f 43 64 ad fb-f8 91 3b 63 3c cf 88 99 Q.I.Cd....;c<... 0030 - 8f 83 f1 1b ee 56 8d ff-81 9b 81 64 f9 62 29 91 .....V.....d.b). 0040 - a8 da ff 99 4c 60 05 78-aa 0d 3b 4a 74 c4 7d 09 ....L`.x..;Jt.}. 0050 - 1d fc fa 3d f5 90 83 a3-75 4b 2c 93 30 c3 dc 19 ...=....uK,.0... 0060 - 64 03 65 d4 c9 1a e2 89-2a e2 c0 68 35 eb e8 21 d.e.....*..h5..! 0070 - bb 0a 56 7e 33 aa 6f bb-61 d9 49 bd 35 96 a1 49 ..V~3.o.a.I.5..I 0080 - fb f9 4e e4 0b 8c 18 15-82 e0 9d a6 57 e7 6d e6 ..N.........W.m. 0090 - 2c 21 a8 0f 0b 7a 07 01-71 ef 1c 23 78 6c ce f2 ,!...z..q..#xl..

Start Time: 1641568742 Timeout : 7200 (sec) Verify return code: 0 (ok) --- closed

Page 10: HTTPS Proxy test with Squid

Fase 3 Squid Proxy

Fase 3 Squid Proxy

for use with SQUID WEB PROXY CACHE - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation/v6.3.3/English... · Squid Web Proxy Cache X 7 CHAPTER 1 Introduction Thank you for

for use with SQUID WEB PROXY CACHE - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation/v6.3.3/English... · Squid Web Proxy Cache X 7 CHAPTER 1 Introduction Thank you for

Features supported by squid proxy server

Features supported by squid proxy server

Setting Squid Sebagai Transparent Proxy Di Windows Xp

Setting Squid Sebagai Transparent Proxy Di Windows Xp

Using pfSense as a Squid Proxy Server - Tetranoodle...Using pfSense as a Squid Proxy Server @tetranoodle Understand proxy servers and their key features Install and configure the Squid

Using pfSense as a Squid Proxy Server - Tetranoodle...Using pfSense as a Squid Proxy Server @tetranoodle Understand proxy servers and their key features Install and configure the Squid

The Squid caching proxy

The Squid caching proxy

Longfin Squid, Shortfin Squid - · PDF fileA proxy reference point for MSY ... Like longfin squid, shortfin squid are under the jurisdiction of the MAFMs MS FMP. 7 ii. Production statistics

Longfin Squid, Shortfin Squid - · PDF fileA proxy reference point for MSY ... Like longfin squid, shortfin squid are under the jurisdiction of the MAFMs MS FMP. 7 ii. Production statistics

eBook Squid Proxy Server

eBook Squid Proxy Server

Installing Squid Web Proxy

Installing Squid Web Proxy

Arisnb proxy-squid-monitoring

Arisnb proxy-squid-monitoring

Squid (WWW Proxy Server)

Squid (WWW Proxy Server)

for use with SQUID WEB PROXY CACHEkb.websense.com/pf/12/webfiles/WBSN Documentation/support... · INSTALLATION GUIDE for use with SQUID WEB PROXY CACHE v6.2 Websense Enterprise®

for use with SQUID WEB PROXY CACHEkb.websense.com/pf/12/webfiles/WBSN Documentation/support... · INSTALLATION GUIDE for use with SQUID WEB PROXY CACHE v6.2 Websense Enterprise®

eScan for Squid Proxy - microworldsystems.com

eScan for Squid Proxy - microworldsystems.com

Bandwidth Management with the Squid Caching Proxy Server fileQuick Overview of Squid • Squid is a caching proxy server. • It’s the open-source equivalent of products like Novell’s

Bandwidth Management with the Squid Caching Proxy Server fileQuick Overview of Squid • Squid is a caching proxy server. • It’s the open-source equivalent of products like Novell’s

Auditing Squid Web Proxy Server - giac.org

Auditing Squid Web Proxy Server - giac.org

Install Guide Supplement for use with Squid Web Proxy Cache

Install Guide Supplement for use with Squid Web Proxy Cache

Using Squid Proxy for Authentication and Traffic Shaping

Using Squid Proxy for Authentication and Traffic Shaping

Firewall and Proxy Server HOWTO - index-of.co.ukindex-of.co.uk/Linux/Linux Firewall and Proxy Server-HOWTO.pdf · 9.Installing a Transparent SQUID proxy ... Firewall and Proxy Server

Firewall and Proxy Server HOWTO - index-of.co.ukindex-of.co.uk/Linux/Linux Firewall and Proxy Server-HOWTO.pdf · 9.Installing a Transparent SQUID proxy ... Firewall and Proxy Server

Manual Proxy Squid

Manual Proxy Squid

Caching Proxy 3.5 Setup Guide - downloads.newboundary.com EM… · auth_parambasicprogramC:\Squid\lib\squid\basic_ncsa_auth.exeC:\Squid\etc\squid\.htpasswd auth_parambasicchildren5

Caching Proxy 3.5 Setup Guide - downloads.newboundary.com EM… · auth_parambasicprogramC:\Squid\lib\squid\basic_ncsa_auth.exeC:\Squid\etc\squid\.htpasswd auth_parambasicchildren5