Search squid archive

Re: ssl_bump and certificate for client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 05 Oct 2009 10:59:49 -0400, "Carsten Lührs" <carsten424@xxxxxxx>
wrote:
> Hi,
> I configured ssl_bump as follows:
> 
> sslproxy_version 1
> ssl_bump allow all
> sslproxy_cert_error deny all
> always_direct allow all
> 
> http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem
> 
> My problem is, that the client receives a certificate issued fo the 
> squid, not
> for the original server (using the squid CA) - how could I solve this?
> 
> Thanks
> ?? Carsten

This is how SSL works. It encrypts the channel between two IP addresses
(Client -> Server).

When you place Squid in the middle (Client->Squid->Server) the SSL
authentication must change so that it authenticates/encrypts the two
different IP connections separately (Client->Squid) and (Squid->Server).

SslBump does that and is why even using it will not allow you to forge
HTTPS requests.  In order to use SslBump you require control of the clients
to make them accept the Squid CA. The solution you seek is to push out the
CA signing the Squid certificate to the client browsers.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux