On 3/20/19 3:23 PM, Yosi Greenfield wrote: > ssl_bump splice step3 NoBump > ssl_bump bump step3 > cache_peer proxy2.ourserver.com ... ssl Forwarding most SslBump-related connections to cache_peers is still unsupported by official Squids, including Squid v3 and v4. Measurement Factory code that implements this feature is being officially reviewed at https://github.com/squid-cache/squid/pull/380/ If you can test the above-referenced code, please do. However, even if the above-referenced changes are officially accepted (into v5), they will not allow you to do "TLS inside TLS" -- you will not be able to forward most SslBump-related connections to HTTPS proxies (i.e. your "cache_peer ssl"). Fortunately, forwarding to HTTPS proxies is not critical in most use cases -- one layer of TLS encryption is often enough. Unfortunately, you will expose CONNECT requests between Squid1 and Squid2 until we add that support or perhaps [controversially] allow bumped traffic to be sent to HTTPS proxies without additional encryption. I am not aware of anybody working on either right now. > 1. Does squid 3.5 even allow sending https between peers? Squid allows sending plain HTTP traffic to an HTTPS peer. That is not what you are configuring your squid1 to do though: You are telling squid1 to send bumped HTTPS traffic to an HTTPS peer. The latter is not supported. > 2. What file goes into the cache_peer directive sslcert? Let's assume that the TCP connection between squid1 and squid2 is encrypted with TLS (i.e., your configuration with "cache_peer ssl"). TLS supports certificate-based client authentication: A TLS client (i.e., squid1 in your case) sends its SSL certificate to the TLS server (i.e., squid2 in your case). The TLS server (i.e. squid2) validates that certificate against some mutually trusted CA and allows (or denies) the connection. "cache_peer sslcert" names the file containing the (client) SSL certificate that squid1 sends and squid2 expects/validates. > I'm using the same > PEM file for cahe_peer on Squid1 and http_port on Squid2. Is that a mistake? It is a mistake in most (possibly all) use cases. The former is a (client) SSL certificate that squid1 sends and squid2 validates. The latter is an SSL CA certificate to generate fake (server) SSL certificates. Squid2 sends those generated certificates. A bumping Squid1 validates them. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
