Search squid archive

Re: Re: Transparent proxying HTTPS through Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 07, 2008, Dumpolid Exeplish wrote:
> Adrian,
> 
> How can this be possible? can you explain?

* You can treat the SSL connection as just a TCP tunnel type connection.
  (And if you need to pass it to an upstream proxy, just wrap it in CONNECT.)
* You can then do a few things, like:
  - without breaking the connection:
    - fingerprint the SSL cipher maybe?
    - source/destination IP addresses
    - destination port
    - destination host, if given in the CONNECT request
  - breaking the SSL connection (ie, terminating it and then issuing an SSL connection outbound):
    - well, you've got access to the whole datastream, so anything
    - but you have to play SSL certificate games so your users don't get hounded by their
      browsers about insecure certificates.

Squid-3 is growing something (called "SslBump") which will introduce some of
these features. I'd like to introduce similar functionality in Squid-2 once
the squid-3 code is complete and debugged.



Adrian

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux