SSLBUMP (Squid) stress test

Alex Rousskov rousskov at measurement-factory.com
Mon Apr 30 22:41:30 UTC 2018 

On 04/29/2018 01:09 PM, Panagiotis Bariamis wrote:

> I am trying to measure performance for a proxy while using sslbump .
> I have used the following sslwrap :
> SslWrap sslWrap = {
>     ssl_config_file = "openssl.conf";
>     root_certificate = "keyall.pem";
>     session_resumption = 70%;
>     session_cache = 100;
> };
> While openssl.conf is the conf suggested by web polygraph site.

> The root certificate keyall.pem is the private+public CA used for sslbump.

If you use the above sslWrap for Polygraph robots and Polygraph servers,
then please note that you are testing an unrealistic setup:

* An origin server signs traffic with certificate signed by Root CA X.
* Squid signs bumped traffic with certificate signed by Root CA Y.
* X is Y.

Normally, X is not Y!

This modeling problem does not explain the errors you are getting
AFAICT, but it is best to test a more realistic setup where the root CA
in robots sslWrap (Y) is different from the root CA in servers sslWrap
(X). If nothing else, you would be able to detect cases where Squid did
not bump SSL traffic it should have bumped during the test.


> I have tried many combinations but i always get the error :
> :SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> How can I make web polygraph trust my CA for sslbump ?

Nothing jumps at me as broken in your small configuration snippet and
description.

1. Are your robots configured to go to Squid's http_port or https_port?
If you are not testing an HTTPS proxy, they should be configured to talk
to an http_port. If you are testing an interception proxy, then robots
should be configured to talk to origin servers directly.

2. Can you double check that the unknown CA in the error message is
actually the CA in keyall.pem? You can do that using wireshark or a
similar tool that inspects traffic. To reduce noise, configure a single
best-effort robot and tell it to stop after the first error.

3. Does "curl --ca-cert keyall.pem" (or equivalent) work when requesting
one of the Polygraph URLs through the same proxy port (while a Polygraph
server is still running)?

Alex.

More information about the Users mailing list