Search squid archive

Freebsd based squid MITM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have found that the ssl_bump/sslcrtd does not work as expected on freebsd when used for MITM intercept ssl proxy. I am using the following squid config with a rdr in pf firewall:

http_port 3128 intercept  connection-auth=off ssl-bump cert=/local/certs/proxy.local.pem key=/local/certs/proxy.local.pem

# Strips https and sends request as http to server, but keeps https to client
https_port 3129 intercept connection-auth=off ssl-bump cert=/local/certs/proxy.local.pem key=/local/certs/proxy.local.pem

always_direct allow all
follow_x_forwarded_for allow all
forwarded_for on

acl localhost src 127.0.0.1/32 ::1
ssl_bump deny localhost
ssl_bump allow all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /local/libexec/squid/ssl_crtd -s /local/squid/ssl_db -M 4MB
sslcrtd_children 5


What happens is the https connect is sent to clients from squid and the ssl is stripped on the proxy request that goes out. It basically strips ssl but makes it appear that the client is connected via ssl... This could be a bad thing :)

Maybe someone can take a look at this and explain why sslcrtd/ssl_bump does not create an ssl proxy request but instead just goes http ?

Thanks. Mike 



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux