On 15/03/11 20:26, Jaime Nebrera wrote:
Hi Amos and list members,
Reading the available information in the Internet I'm not sure if
this is possible or not.
It is. Though not easily.
Ok
Squid https_port can accept forward proxy traffic as easily as
reverse-proxy traffic. The difficulty comes when you find out that none
of the popular browsers actually open HTTPS connections to proxies. An
stunnel wrapper is needed to apply the SSL bit from the users box to the
Squid.
I didnt know this. Might it be that they are confused and that they
might be using Kerberos or something like that that in essence is based
in certificates?
What do you mean by "they" being confused? You earlier said you were
setting this up. My answer was based around your question.
I have also seen SSLBump that seems in that topic.
Nope, this is MITM on HTTPS. No per-user certificates involved.
Ok
BTW, I would like the proxy to use User's certificate when
authenticating against other (external) servers.
It cannot. The SSL traffic which follows a certificate CANNOT be
generated without the secret keys associated with the certificate. Squid
does not have this information and can only be configured to use one set
of keys for all DIRECT outgoing traffic.
What you have instead is a certificate authorizing Squid to open
connections to external places plus some ACl rules in squid.conf
limiting which clients are allowed to go via HTTPS to those places.
Those external places see Squid as the client software even with regular
HTTP traffic.
Mmmm, I have seen commercial products that state they are able to
analize SSL traffic with a MITM attack. I understand this is of course a
security concern by itself by I thought this products were doing this,
Might it be they are using a generic certificate for all of them?
Very thankful from your replies. Regards
They likely do it similar or the same way Squid does. With MITM and
generating a new fake certificate. You asked for ways to do it *without*
MITM, and relaying on a specific existing client certificate set at the
browser end of the transaction. The fake certs used in MITM do not pass
validation such as a server checking for specific client certs does.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
