Hi,
I thought I could mitigate that with the:
--
I am trying my hands on ssl_bump and it's almost working, but that's ish-ish.. because I have several problems.
I even wonder if this config is correct:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl ssl_bump_broken_sites dstdomain "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump none ssl_bump_broken_sites
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
#sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt
<cut>
The following error was encountered while trying to retrieve the URL: https://org.ke.m-pesa.com/*
Failed to establish a secure connection to 196.201.214.212
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Your cache administrator is <odhiambo@xxxxxxxxx>.
</cut>
acl ssl_bump_broken_sites dstdomain "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump none ssl_bump_broken_sites
..but that doesn't do it...
Secondly, I had to import my CA to all devices (as a trusted CA) on the network so that they don't get the MITM notification. This is a challenge, because I have to do the same for smart phones too, and that is not easy. People don't like intrusive changes. For example on Android phone, you have to set screen security before you can import such a CA, and after you do, you cannot disable the screen security! Now, that is not something people want.
Another issue is that we allow guests who come in to the premises to use our Wi-Fi (on a different SSID). Without them importing the CA, they get the MITM notification and cannot browse. This is because they get assigned IPs in the same subnet we use in the office.
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
