2015-07-06 20:06 GMT+08:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 6/07/2015 9:30 p.m., adam900710 wrote: >> >> Here is some of my experiments: >> 1) Remove "never_direct" >> Then ssl_bump works as expected, but all traffic doesn't goes through >> the SOCKS5 proxy. So a lot of sites I can't access. >> >> 2) Use local 8118 proxy >> That works fine without any problem, but SSL_dump is needed... >> So just prove privoxy are working. >> >> Any clue? > >> Also, If I disable "ssl_bump" at http_port line, squid works without >> any problem just as a forwarder. >> But that makes no sense anyway. > > Makes perfect sense. Would you like anybody to be able to decrypt your > HTTPS traffic and send it as plain-text wherever they want? > > Squid does not permit that. All inbound encrypted traffic must one way > or another leave upstream only by encrypted channels. Agree with Yuri, I hate the government (Yeah, especially the f**king China gov!) and the evil Chinese one has alreayd tried this trick on gmail some month ago. That's who forces me to pass the traffic to privoxy, as the Great Firewall is already blocking me to reach most sites in the open world. Also you get a little confused with ssl dump and encryption/authentication. SSL bump in fact doesn't do the black magic to magically decrypt everything without cost. PKI things still makes you know that some one is bump your SSL communication. So normally with SSL bump, you will see a big browser warning about the unknown issuer of the faked certificates. And normal routine like curl will just abort the connection when it found the certificate is not valid. Although the communication lost the encryption, you can still know you are under monitoring. And this implement needs you to trust the fake CA. If one doesn't trust it, just blacklist the fake CA and use tor or whatever to really hide the trace. So although the ssl bump destory encryption, but it doesn't destory authentication. And the combination of ssl bump and cache peer should be allowed if no bugs or my configuration error. Thanks. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
