-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 And finally: HTTPS is used for malware transmission - and we can't scan it!, for porn viewing, for illegal P2P traffic and others. And we are the paladines in white robes. 06.07.15 19:34, adam900710 пишет: > 2015-07-06 20:06 GMT+08:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> On 6/07/2015 9:30 p.m., adam900710 wrote: >>> >>> Here is some of my experiments: >>> 1) Remove "never_direct" >>> Then ssl_bump works as expected, but all traffic doesn't goes through >>> the SOCKS5 proxy. So a lot of sites I can't access. >>> >>> 2) Use local 8118 proxy >>> That works fine without any problem, but SSL_dump is needed... >>> So just prove privoxy are working. >>> >>> Any clue? >> >>> Also, If I disable "ssl_bump" at http_port line, squid works without >>> any problem just as a forwarder. >>> But that makes no sense anyway. >> >> Makes perfect sense. Would you like anybody to be able to decrypt your >> HTTPS traffic and send it as plain-text wherever they want? >> >> Squid does not permit that. All inbound encrypted traffic must one way >> or another leave upstream only by encrypted channels. > Agree with Yuri, I hate the government (Yeah, especially the f**king > China gov!) and > the evil Chinese one has alreayd tried this trick on gmail some month ago. > > That's who forces me to pass the traffic to privoxy, as the Great > Firewall is already > blocking me to reach most sites in the open world. > > Also you get a little confused with ssl dump and encryption/authentication. > > SSL bump in fact doesn't do the black magic to magically decrypt > everything without cost. > PKI things still makes you know that some one is bump your SSL communication. > > So normally with SSL bump, you will see a big browser warning about > the unknown issuer of > the faked certificates. > And normal routine like curl will just abort the connection when it > found the certificate is not valid. > > Although the communication lost the encryption, you can still know you > are under monitoring. > And this implement needs you to trust the fake CA. > If one doesn't trust it, just blacklist the fake CA and use tor or > whatever to really hide the trace. > > So although the ssl bump destory encryption, but it doesn't destory > authentication. > And the combination of ssl bump and cache peer should be allowed if no > bugs or my configuration error. > > Thanks. >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVmoliAAoJENNXIZxhPexGtL4H/3/Q6A7Rg4UzN1o/PGJc1rb/ WKzolOZ6Hj810108EQ19okSsoShrkzA1mXeaGOktCcTUfFMwYBnIdt+WV7V8LiZT 4AyrwdBrxREu+hPn0NQWRex4nzobG47aOqVF81npYLp+mioM4J4FWCv0Y9hbglSt w+IvZhhcyswYR5LP2BiS4dUZMY52O8y0S4HpOe85f3/24/l/pswUoVgSdcHW1Dck Nq34i0fZ560QiJjJZzAGc9a2Akbq5ppx414bKaCCxG9DyKLO1As793bPIxvIQuQ7 KpiD5bkaKYkyA2XhZ/BJIB2dUSJa7HI4GXOrUjCgXN0XnH8aDLlsgZ8XhXlxJ4o= =2Fvz -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
