On 15/01/2016 11:13 p.m., startrekfan wrote: > Hello > > I`m sorry. I'm not a native speaker so I maybe don't find the right words. > > I'd like to setup a proxy that can scan the incoming traffic for virus > (squidclamav). To do that for a https/ssl connection I need the squid > ssl-bump feature or is there an other solution? Aha. Yes you will need bumping to do that. > > Now I want to setup the ssl-bump feature as safe as using no ssl-bump. Is > this possible with squid 3.4? (Of course every one who has my CA cert can > decrypt the traffic, but I keep it safe.) TLS is a fast changing situation. The golden rule with bumping TLS/HTTPS is to use the latest Squid release. If you have any problems first try an upgrade. Things are being improved constantly and you may even need to go beyond the stable production release and use the beta development release for some things. But definitely anything older than the current production release certainly has TLS related bugs and annoying problems. 3.4 is over a year outdated in its support for TLS features and is lacking some very major abilities that are critical for smooth port 443 interception. 3.5 is still a bit rough itself, but way better than any older Squid. > Squid is communicating with the remote server(webserver). I'd like to have > at least this communication as safe as using a normal browser. > Leave that until you have a working system. Your end goal is a complicated setup. Best take it one small step at a time. Especially since you are new at this. > Does squid 3.4 do all the necessary steps like checking the certificate > validity? Yes, all Squid-2.4+ do unless you configure it not to happen. > What about advanced features like cert pinning? > Not normally. Cert pinning is a nasty hack browsers do. If you want that you will have to write a cert validator helper of your own that checks the pinning. You will however find that any traffic actually using cert pinning is not able to be SSL-Bumped. So traffic where bumping succeeds will never be worth checking for pinning. > How do I configure ssl virus scanning? Are this steps enough: > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit The two are separate things. SSL-Bump decrypts the HTTPS traffic arriving into Squid. ICAP services doing AV can scan traffic going through Squid. This is good. It means you can/should configure one and test it is working well before trying to start setting up the other. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users