SSL encryption between parent and child squid proxy

February 22, 2011 · Posted in Linux, Projects · 1 Comment 

I use squid proxy server for a long time. Recently, I had to forward several requests to a child proxy but these requests must be sent encrypted. Using a VPN connection between the two proxies was my first thought. However, adding one more tunnel to that server would make the whole network configuration really nasty so I had to think of an alternative solution. That was  SSL.

First a little background info

How does SSL work:

In SSL client-server authentication we use x.509 certificates. Ok but what is that? Think of an actual certificate. It is pretty much the same thing except it is digital and includes information related to the specific host. For example, a x509 certificate includes the signature algorithm, the version, the validity period, the subject name, the subject’s public key and some other information as well. Why do we need it? Simple. Take a look on the following illustration.

So what is going on here?

The client sends a “hello” message to the server containing some preferences such as supported ciphers and a random value A. The server replies with a “hello” message containing the chosen cipher, his certificate and another random value B.  The server also requests the client’s certificate. The client verifies the certificate of the server ( we won’t ) and generates a master key based on his private key and the random value B. Then it uses the server’s public key ( embedded on the server’s certificate that he received before ) to encrypt the master key which forwards it to server. At this point a shared secret key has been established between the server and the client. They will use this key + the A,B randoms respectively to computer the MAC and encryption keys. Finally, the client will use the chosen cipher ( as selected by server in the first step ) to encrypt the upcoming packages.

How does this apply to our case:

Imagine that the parent squid proxy is the client and the child is the server. This is because the parent (client) contacts the child (server) to send the packages in the first place. I assume you have a working squid configuration on both ends

Generate certificates:

This applies to both hosts

Create the private key:

openssl genrsa  -out server.key 4096

Create certificate:

openssl req -new -x509 -key server.key -out server.crt -days 365

Now you should have two working certificates ( lets assume parent.crt and child.crt ) for your squid hosts.

Child configuration:

The child proxy must be configured to listen to an https port along with this new certificates

https_port 4443 cert=/etc/squid/child.crt key=/etc/squid/child.key \

Parent Configuration

The parent proxy should be configured as follows:

cache_peer parent 4443 4443 ssl \
sslcert=/etc/squid/parent.crt \
sslkey=/etc/squid/parent.key sslflags=DONT_VERIFY_PEER

You are done :)

Gentoo Miniconf
Patras Wireless Metropolitan Network
Planet Hellug
forum hellug