Amos, thank you for the quick response. My original question could use an example to clarify.
client ------> example.com (HTTPS squid proxy) ------> instance.example.com (HTTPS server)
The HTTPS squid proxy on example.com has a trusted wildcard certificate for *.example.com
The HTTPS server on instance.example.com has an untrusted certificate for instance.example.com
So without MITM, the client issues a CONNECT to squid running on example.com which does its TLS, authenticates, connects to upstream then goes into tunneling mode. The client does the TLS handshake with instance.example.com, receives its untrusted certificate, and isn't happy.
I'm looking for a MITM mode that, instead of requiring a CA that can dynamically create trusted certs on the fly, will return a wildcard certificate for all requests (or even better, for any requests matching hosts in its subdomain). Is that something that exists?
I hacked up my own version of ssl_crtd to serve a static cert and ran into another wrinkle. Is there a version of squid that supports ssl-bump with https_port?
On Fri, Jan 25, 2019 at 9:42 PM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 26/01/19 5:51 am, Bill Bernsen wrote:
> Hi,
>
> I have squid running as an explicit forward proxy on the
> host example.com <http://example.com/> controlling access to all hosts
> in *.example.com <http://example.com/>. All the hosts in *.example.com
> <http://example.com/> have self-signed certificates that I want to
> appear as trusted to user browsers. I don't have the option of obtaining
> a trusted CA. I do, however, have a trusted wildcard certificate for
> *.example.com <http://example.com/> available. Is there a way that I can
> tell squid to present this static wildcard certificate to clients in
> lieu of all upstream server certificates?
As a forward proxy clients are *not* connecting to any of the
*.example.com domains. They are connecting to your proxy hostname - and
telling it to take care of the origin connections. So all clients need
is trust for the CA which signed the proxy's certificate.
The proxy is the only agent in the path which needs to trust the
wildcard *.example.com certificate.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users