Search squid archive

Using a Baltimore root certificate in transparent ssl proxying

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

 

We were able to set up the squid in a host to container infrastructure. That is saying the squid is installed on host, proxying traffic from the container on the same host. With transparent proxy including SSL traffic.

Another feature we enabled is request_header_access and request_header_replace, to spoof and modify token in HTTP headers sending to target dstdomain.

 

The issue we are having right now is the certificate installed on the container is a self signed cert, we were trying to migrate this cert to a real trusted CA cert, or a Baltimore root cert.

The issues seems to be in the subject name of the cert. In the self signed cert, I simply leave everything blank. In the Baltimore root cert(squid.key and squid.crt in below squid.conf example, request through Microsoft internal service and it is Baltimore root), even if I have the dstdomain in squid.conf as subject name(abc.microsoft.com in below squid.conf example), I am still getting “server certificate verification failed” error in CURL. Is there anything I am missing or it simply doesn’t support? In my understanding, it should has no difference with squid as root CA signer in self signed cert?

 

P.S. I do notice that it is illegal for a trusted CA to issue official cert to squid because squid itself is man-in-the-middle, so Squid can only accept self signed cert and squid as root CA? I tried to search the email archive but no luck.

 

I have such a squid.conf

 

acl abc dstdomain .abc.microsoft.com

request_header_access Authorization deny abc

request_header_replace Authorization Basic whateverYourTokeisButForBasicItHasToBeBase64Encoded

request_header_access All allow all

 

https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"

 

ssl_bump server-first all

always_direct allow all

 

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

ssl_bump peek step2 allowed_https_sites

ssl_bump splice step3 allowed_https_sites

 

 

 

Thanks,

Lei

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux