Hi Amos
thanks for your reply.
On 08/11/15 03:27, Amos Jeffries wrote:
You are taking secured traffic. Removing the decryption. Then ...
Yes. Then ... I expected it would make a CONNECT to the upstream proxy
that would in turn do HTTPS to the target.
I'm happy with the certificate mismatch.
I get a crash message in cache.log:
2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
"peer->use_ssl"
Attempting to connect and send encryption to a non-encryted peer.
Using a current version of Squid should fix that assertion and just not
let the peer be used. Your Squid is a whole 2 months old. In the arms
race that is SSL-Bump a few months is a long time.
Squid still will not generate new CONNECT to non-encrypted peers though.
So you will need to TLS enable the cache_peer link.
If my proxy talks TLS with the upstream one - will that do the trick? I
can upgrade to the latest Squid if that should fix the problem.
However I'm a bit confused with the protocols / certificates involved..
[client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS ->
[target]
What protocol is used between [my_proxy] and [upstream_proxy]? It's not
CONNECT, is it? Is it TLS connection with something like "GET
https://example.com/ HTTP/1.." passing through?
Does that also mean the upstream one will have to ssl_bump the
connection again and re-encrypt with yet another certificate to be able
to read the target URL? And also - can I pass non-SSL traffic between my
proxy and the upstream as well?
Can you provide some config hints for both proxies please? The
SSL-related bits only as that's the unclear part.
Thanks in advance!
Michael
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
