On 08/20/2010 04:35 AM, Roberto Martelloni wrote:
i have readed that in the roadmap of squid 3.3 will be available dynamic
ssl cert hijacking.
I'm interested in this functionality plus icap module to record all ssl
session for network forensic analysis, post incident.
Do you think is possible to use squid + sslbump + icap/ecap to write
down in an structured way all the ssl data forwarded by the proxy ?
anyone have any suggestion or experience in this kind of utilization, or
icap/ecap functionality cant be used for this purpose ? is it out of the
scope ?
What you want is indeed possible. Some caveats:
(a) ICAP/eCAP are not related to SslBump in any way. Those APIs do not
know where the traffic is coming from and whether it was encrypted at
some point or will be encrypted later. Knowing which pieces are
independent may help you understand the overall architecture better. You
will need an ICAP or eCAP adapter to record traffic. It is fairly easy
to write a simple one though.
(b) Dynamic SSL Certificate Generation does not work with transparent
proxies at this time, and there is currently no project to add such
functionality. Doing so would require a serious development effort.
(c) While there is an outdated patch adding Dynamic SSL Certificate
Generation to Squid v3.1, there is currently no project to update that
code. I am optimistic that we will do it within two months, but I cannot
promise anything. Synchronizing and committing that patch to trunk is
required to get the feature into v3.2 or v3.3.
HTH,
Alex.
