Search squid archive

Re: Looking for assistance with setting up a TLS proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/09/17 07:28, Rohit Sodhia wrote:

Greetings,
I'm a backend dev who's been suddenly assigned a task to create a squid proxy to intercept cURL/wget requests. We've got old servers that don't support TLS 1.2 and some of the services we use will be requiring it soon, so the decision was made to route cURL and wget requests through a pair of squid servers. Unfortunately, I'm not a sysop (or even really knowledgeable in this area) and am having some trouble, hoping someone wouldn't mind helping me out.
I've been through the squid documentation and been playing around with the examples on the squid site, including finding one for creating an interception proxy. However, if I'm correct, for squid to be able to upgrade the TLS requests from their current 1.0 to 1.2, squid would need to decrypt the incoming request, then reencrypt it?
Yes. The TLS messaging needs replacing to negotiate TLS/1.0 variants of things, and often the server cert itself needs replacing entirely due to TLS/1.1+ extension bits inside it.
I'm hoping someone out there may be willing to help point me in the right direction; I've been given a tight deadline, and both learning about the technologies and find an effective solution is straining. 

Thank you,
The feature details for Squid TLS interception capabilities is <https://wiki.squid-cache.org/Features/SslPeekAndSplice>
The more you know about TLS messaging the easier it is to grasp what Squid is doing. But the basics as covered on that pages' second section should be sufficient to use the feature. 

Some things that might trip you up:
* the "stare" and "splice" actions we normally advise using cannot be used when translating TLS versions. They deliver the client TLS version (at least) on messages to the server.
* bump at step1 (maybe step2) will do exactly what you need. This emulates the client-first bumping action which is documented as "causes a lot of problems" mostly in terms of adding major TLS vulnerabilities to the whole system - so minimize use as much as possible.
* TLS SNI and similar extensions are generally not sent by TLS/1.0 clients. Which makes it difficult to tell what service is being requested, and thus to do that above minimization. 


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux