On 24/01/2015 6:20 a.m., agent_js03 wrote: > Hi, > > I am kind of a newbie to SSL, and have been tinkering with squid SSL bumping > for https, so bear with me if this question has already been discussed. So > here is my understanding of how HTTPS works: a browser has a sort of local > repository of trusted certificates, correct? Correct. > And when you access an HTTPS > website it searches through these certificates and determines whether one is > to be trusted or not. So I've set up squid for SSL bumping and have added by > squid certificate to my browser's list of trusted certificates. However, the > way SSL now works is that squid intercepts my HTTPS request and I never > actually see the certificate sent from the original server, correct? Maybe. It depends on how the bumping is done. The splice and none modes in ther respective Squid versions make it pass-thru the SSL traffic from server to client, so you do see the server details in full. The mimic feature generates a certificate from Squid cloning as much as possible from the original server cert, both good and bad details are copied. So the client can see how broken the server cert is, and in which ways, even if some particular values are slightly different. > So what > I want to know is how does squid know whether the certificate is valid or > not? The OpenSSL library used by Squid performs mostly the same checks the browsers are doing to validate the certificate. Then Squid (recent releases) also pass certificate chains through a configurable helper validator that can perform additional checks if you so wish. In theory the set of "Trusted Certificate Authorities" is a global set, but it does vary depending on who provided the list and how up to date your copy is. The browser vendors have their own processes of determining trust and generate their own lists. On your Squid machine it is probably in a system package called "ca-certificates" or "snakeoil" provided by your OS vendor or OpenSSL packager. The ones I see most mention of origins for are based on the Mozilla projects trusted CA list - though yours may not be. > I am afraid of getting a man-in-the-middle attack since it is squid > that verifies certificates and not my client. Or is my understanding > incorrect? The one thing you can guarantee is that your *ARE* absolutely getting MITM'd. By your Squid itelf if not some other way. The "SSL-Bump" is an MITM on HTTPS protocol. To ensure that Squid is at least doing its best to validate stay away from the various DONT_VERIFY_* options you see some tutorials recommending. They actively disable validation. > Does squid have this same list of trusted sources and if not can > I set it up myself? See above and yes you can add/remove trusted CA entries yourself. I believe the openssl UI tools have ways to do it, though I'm not familiar enough with them to point you directly at how sorry. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
