On 10/18/2013 04:59 AM, Larry Zhao wrote:
Hi, Eliezer,
Yes, my problem to solve is only to proxy to this specific host, no
other subdomains need considering.
Well it depends...
If you want to intercept only one DOMAIN or one tree of domains you need
to issue different certificates or a mimic of a certificate.
Also you need the clients to accept certificates from you own server.
It's not that simple just note that..
And to be honest, I am new to this part, from what I could get from
the page you mentioned, I need to use ssl-bump? Am I right?
If you have one combined key\pem file of both the private key and the
certificate you can use only the cert part..
take a small peak at:
https://workaround.org/certificate-authority
I will continue with it later.
Eliezer
--
Cheers ~
Larry
On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Hey,
Only to this specific host or also all the subdomains etc..
It differs a bit..
A small look at this wiki:
http://wiki.squid-cache.org/Features/MimicSslServerCert
Will calrify some doubts and situations which you will might see some
problem.
Eliezer
On 10/17/2013 06:44 PM, Larry Zhao wrote:
Hi, Guys,
I am trying to setup a SSL proxy for one of my internal servers to
visit `https://www.googleapis.com` using Squid, to make my Rails
application on that server to reach `googleapis.com` via the proxy.
I am new to this, so my approach is to setup a SSL transparent proxy
with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of
ssl key and crt, and configure squid like this:
http_port 443 transparent cert=/home/larry/ssl/server.csr
key=/home/larry/ssl/server.key
And leaves almost all other configurations default. The authorization
of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy 4096
Oct 17 15:45 ssl`
Back on my dev laptop, I put `<proxy-server-ip> www.googleapis.com` in
my `/etc/hosts` to make the call goes to my proxy server.
But when I try it in my rails application, I got:
SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A:
unknown protocol
And I also tried with openssl in cli:
openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1
| grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:error in SSLv2/v3 read server hello A
Where did I do wrong?
--
Cheers ~
Larry