On 2014-04-02 04:39, Beto Moreno wrote:
Hi. Working this past days with squid3.3.10 and the ssl-bump which works in most of the sites I use, but don't know all the sites my users access. Exist 1 site, my bank account, is one of the sites that won't let me access with ssl-bump enable. My doubt is if u know, how the comercial proxies handle this?, do they have the same behaviour? Because is beautiful the way this works, but trying to fix the issue with my bank is what keep me nervous if I send this to production.
SSL-bump just generates a valid (or carefuly copied inaccurate) certificate with incorrect keys.
If your bank is using HSTS or DANE then SSL-bump is easily detected and can be warnied or rejected by a client UA validating the certificates with those mechanisms.
Another common cause is one part of the system using seroiously outdated crypto. Ensure your SSL library and certificates are up to date. If tis happens at the banks end I would not use their HTTPS access until its fixed.
Someone here has this features in production, how do u handle this problems with sites ssl issues. My bank, the funny thing is that, don't show me any browser error, is just send me a popup screen with some words like "ip client", is all, difficult to troubleshoot.
Strange. Exact errors are important here SSL/TLS is highly complex behind the scenes and all the little software-speficic issues makes it complex.
Amos