How to enable HTTPS decryption (SslBump) in Squid 3.5 for Windows?

If you are using our installer for Squid for Windows from http://squid.diladele.com please follow these steps to enable HTTPS decryption (SslBump). By default HTTPS decryption is disabled. Please contact your lawyer before enabling this feature because it might be considered illegal in some countries.

More information is available from the following Squid wiki pages:

From now on we will assume the Squid is installed in c:\squid folder. If this is not so, adjust instructions accordingly.

Step 1. Generate Root CA certificate

In order to perform HTTPS decryption Squid needs to be configured to use self signed Root CA certificate. Take a look at article Manually Regenerate Trusted Root SSL Certificate for Squid for instructions how to generate the required certificate manually from the command line on the Linux system (no instructions for Windows yet).

Save the generated myca.pem and myca.der certificates as c:\squid\etc\squid\myca.pem and c:\squid\etc\squid\myca.der respectively.

Step 2. Configure HTTP listening port in Squid

To enable HTTPS decryption we now need to adjust the http_port directive in c:\squid\etc\squid\squid.conf. Make it look like this.

# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/squid/myca.pem

Step 3. Regenerate ssl_crtd folder

Default installation of Squid for Windows already has ssl_crtd folder correctly configured in c:\squid\var\cache\squid_ssldb but if for some reasons you need to regenerate it manually do the following.

  1. Stop Squid for Windows service using Services management console.
  2. Remove existing c:\squid\var\cache\squid_ssldb folder using Windows Explorer.
  3. Double click Squid Terminal shortcut that MSI installer put on your desktop and run c:\squid\lib\squid\ssl_crtd.exe -c -s c:\squid\var\cache\squid_ssldb. The output of this command should contain Initialization SSL db…Done lines.

Next add the following directive to c:\squid\etc\squid\squid.conf.

# certificate generation program
sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s /cygdrive/c/squid/var/cache/squid_ssldb -M 4MB

Step 4. Create SslBump bypass files

Sometimes you need to skip SslBump for some sites or destination IP addresses, for example, your bank or government institution. We will create two files for that purpose. The first file c:\squid\etc\squid\ssl_exclude_domains.conf will contain domain names to bypass decryption (one domain name per line) as shown below.

.example.com
.example.org
.example.net

The second one c:\squid\etc\squid\ssl_exclude_ips.conf will contain destination IP addresses to bypass decryption (one address name per line) as shown below.

1.1.1.1
2.2.2.2
3.3.3.3

Step 5. Enable SslBump in Squid for Windows

Finally we need to add the following entries to c:\squid\etc\squid\squid.conf.

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl ssl_exclude_domains ssl::server_name "/cygdrive/c/squid/etc/squid/ssl_exclude_domains.conf"
acl ssl_exclude_ips     dst              "/cygdrive/c/squid/etc/squid/ssl_exclude_ips.conf"

ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump splice ssl_exclude_ips
ssl_bump stare step2 all
ssl_bump bump all

Do not forget to restart Squid for Windows service using Services management console.

Resume

Point your browser to Squid proxy, navigate to HTTPS address (for example https://www.diladele.com), click on the lock icon in the browser address bar and make sure the HTTPS certificate was issued by your Squid proxy.

You would also need to install DER public certificate c:\squid\etc\squid\myca.der in all your browsers as explained at Install Trusted Certificates.