On Mon, 05 Oct 2009 10:59:49 -0400, "Carsten Lührs" <carsten424@xxxxxxx> wrote: > Hi, > I configured ssl_bump as follows: > > sslproxy_version 1 > ssl_bump allow all > sslproxy_cert_error deny all > always_direct allow all > > http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem > > My problem is, that the client receives a certificate issued fo the > squid, not > for the original server (using the squid CA) - how could I solve this? > > Thanks > ?? Carsten This is how SSL works. It encrypts the channel between two IP addresses (Client -> Server). When you place Squid in the middle (Client->Squid->Server) the SSL authentication must change so that it authenticates/encrypts the two different IP connections separately (Client->Squid) and (Squid->Server). SslBump does that and is why even using it will not allow you to forge HTTPS requests. In order to use SslBump you require control of the clients to make them accept the Squid CA. The solution you seek is to push out the CA signing the Squid certificate to the client browsers. Amos
