Hi there I've started testing sslbump with "ssl_bump server-first" and have noticed something (squid-3.4.5) If your clients have the "Proxy CA" cert installed and go to legitimate https websites, then everything works perfectly (excluding Chrome with it's pinning, but there's no way around that). However, if someone goes to a https website with either a self-signed cert or a server cert signed by an unknown CA, then squid generates a "legitimate" SSL cert for the site, but shows the squid error page to the browser - telling them the error The problem with that model is that it means no-one can get to websites using self-signed certs. Using "sslproxy_cert_adapt" to allow such self-signed certs is not a good idea - as then squid is effectively legitimizing the server - which may be a Very Bad Thing So I was thinking, how about if squid (upon noticing the external site isn't trustworthy) generates a deliberate self-signed server cert itself (ie not signed by the Proxy CA)? Then the browser would see the untrusted cert, the user would get the popup asking if they want to ignore cert errors, and can then choose whether to trust it or not. That way the user can still get to sites using self-signed certs, and the proxy gets to "see" into the content, potentially running AVs over content/etc. ...or haven't I looked hard enough and this is already an option? :-) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
