Search squid archive

Re: squid behind another squid with sslbump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 19/06/2013 9:13 p.m., marwan wrote:

Hi,

I have a problem with the sslbump option, can someone help me please?

I explain it:

client <-> child proxy <-> parent proxy <-> server

I have established a proxy behind another proxy squid. If I try to use the
parent proxy alone, it operate correctly. The parent proxy use sslbump with
this configuration:
--------------------------------------
http_port 3128 ssl-bump cert=/usr/local/squid/ssl/squid.crt.ok
key=/usr/local/squid/ssl/squid.key.ok
clientca=/home/mhalloumi/Bureau/ca_cert.pem

always_direct allow all
ssl_bump allow all
Please upgrade to 3.3 if you are using ssl-bump. That series has much safer SSL handling. 


So if I try to send with wget a request to a server with this command (wget
https://www.cic.fr/fr/ --no-check-certificate --certificate user_cert.pem)
(I have configured wget to send requests to the child proxy) the child proxy
doesn't use ssl-bump with its parameters but just forward request to the
parent proxy.

So I want to know if:

it is possible to use sslbump with this proxy behind another proxy using
sslbump?


Possible, yes. Reasonable no.
When *you* control both ends of the SSL connection (child and parent proxies) there is absolutely zero reason to hijack and force the decryption. You can just decrypt using regular SSL sender/receiver functionality. You can even use SSL cert validation of both server and client certs to ensure nobody else intercepts your SSL connection between the proxies.
ssl-bump is *only* useful to hijack and decrypt *somebody elses* SSL connections. Either decrypting clients CONNECT requests which are tunneling HTTPS over regular HTTP connections, or decrypting clients port 443 traffic. 



How can I use the SSL parameter from  the command "cache_peer" (for example
sslcert, sslkey or sslversion)?

Why the sslbump parameters of the child proxy don't work in my case? (I want
this parameter for the ssl context server of the parent proxy).
Because the parent is expecting to receive plain-HTTP from the child. The child is sending SSL traffic to the parent.
Use an https_port with a normal server certificate (nothing special like ssl-bump) on the parent proxy. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux