On 06/01/2017 09:17 AM, Amos Jeffries wrote: > On 02/06/17 01:10, erdosain9 wrote: >> "If I assume that its doing what you want there are still two major >> issues that can be seen."................. i think it was... >> >> "1) Mixing interception and authentication (ssl-bump is a type of >> interception, at least on the https:// traffic). Intercepted messages >> cannot be authenticated - though there are some workarounds in place for >> ssl-bump to authenticate the CONNECT tunnel and label all the bumped >> traffic with that username." Bumped messages cannot be proxy-authenticated but the CONNECT tunnels that carry bumped messages can be, and such proxy authentication does not violate any rules or principles. It is perfectly fine to use. Furthermore, logging the authenticated tunnel user when logging transactions inside that tunnel is the right thing to do IMO. >> how it's that?, maybe i wrong (probably) but, for example a connection to >> youtube, it is ssl, and i see (in access.log, who do that (its >> authenticate). > > That is the hack workaround doing its thing. Squid is authenticating the > CONNECT message, then simply reporting that authenticated username for > all the bumped https:// log entries. FWIW, I do not think this is a hack. It is exactly what Squid should be doing in this context. There may be bugs in the implementation of that functionality, of course, but the functionality itself is a legitimate feature, not a workaround. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
