On 21/12/2011 3:34 a.m., Sean Boran wrote:
Hi, sslbump allows me to interrupts ssl connections and run an AV check on them. It generates a certs for the target domain (via sslcrtd), so that the users browser sees a server cert signed by the proxy. If the target domain has a certificate that is expired, or it not signed by a recognised CA, its important that the lack of trust is communicated to the end user. Example, on connecting direct (not via a proxy) to https://wiki.squid-cache.org the certificated presented is expired 2 years ago and not signed by known CA . Noext on connecting via a sslbump proxy (v3.2.0.14), the proxy creates a valid cert for wiki.squid-cache.org and in the user's browsers it looks like wiki.squid-cache.org has a valid cert signed by the proxy. So my question is: What ssl_bump settings would allow the proxy to handle such destinations with expired or non trusted sites by, for example: a) Not bumping the connection but piping it through to the user unchanged, so the user browser notices the invalid certs? b) Refuses the connection with a message to the user, if the destination is not on an allowed ACL of exceptions.
Pretty much. The Measurement Factory has a project underway to fix this limitation. Please contact Alex about sponsoring their work to make it happen faster, or get access to the experimental code.
Looking at squid.conf, there is sslproxy_flags, sslproxy_cert_error # TAG: sslproxy_flags # DONT_VERIFY_PEER Accept certificates that fail verification. # NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL. # TAG: sslproxy_cert_error # Use this ACL to bypass server certificate validation errors. So, the following config would then implement scenario b) above? # Verify destinations: yes, but allow exceptions sslproxy_flags DONT_VERIFY_PEER #sslproxy_flags none # ignore Certs with certain cites acl TrustedName url_regex ^https://badcerts.example.com/ sslproxy_cert_error allow TrustedName sslproxy_cert_error deny all ==> But then, why does it not throw an error when connecting to https://wiki.squid-cache.org ?
You configured not to verify, therefore the error is not noticed and cannot trigger any action.
Why no output is displayed you will have to ask the OpenSSL people. There are a few places in their API like this where errors are silently dropped and seemingly no way is provided to check for them externally (ie from Squid).
Amos
