On 15/02/2013 2:23 a.m., Prasanna Venkateswaran wrote:
Hi,
I have been trying to set up squid which can intercept https
traffic without client (read it as browser proxy) changes. I am using
the latest squid 3.3.1. When I actually open a https site I still see
the certificate with the parameters I provided (for myCA.pem) and I
dont see any of the original certificate's properties being mimicked.
I have listed my config below. Please let me know whether I am missing
anything. Pardon me if am overlooking any config. I am relatively new
to squid.
My iptable config:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:www redir ports 3128
REDIRECT tcp -- anywhere anywhere tcp
dpt:https redir ports 3129
My Squid config:
http_access deny all
always_direct allow all
ssl_bump server-first all
# Squid normally listens to port 3128
http_port 3128 transparent
https_port 3129 intercept cert=/etc/squid/ssl_cert/myCA.pem ssl-bump
Mimic only works when the certificate is being created by Squid.
The above config line is a _static_ certificate configuration. Whatever
request arrives at squid will be SSL setup using myCA.pem keys - which
were created by you in advance and are fixed.
What you are needing is a _dynamic_ certificate configuration. With the
CA certificate, private key= certificate and generate-* SSL options
enabled on this port to allow Squid to create new certificates as needed.
Amos
