Search squid archive

Re: MITM the MITM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Antony,

Thanks for the quick response.

- What sort of firewall is this?

The firewall is a Cisco FTDv 6.6.

 - What does "HTTPS inspect" actually mean?
 - How does the firewall "inspect" HTTPS traffic, which by design is encrypted 
between client and server (neither of which is the firewall)?
 - What does "inspect" mean?  What information is revealed from the inspection 
of the encrypted communication?

It's doing something they call 'decrypt and resign'. Similar to how ssl_bump works, so would putting the firewall certificate on the Squid server's trusted certificates source be enough?

Why?  Where would the proxy servers need to be instead, in order for this 
inspection to work?

Good question, their documentation says the following:

HTTP proxy limitation

The system cannot decrypt traffic if an HTTP proxy is positioned between a client and your managed device, and the client and server establish a tunneled TLS/SSL connection using the CONNECT HTTP method. The Handshake Errors undecryptable action determines how the system handles this traffic.

Alternatively, how does/would it work if the proxy were not there, and clients 
communicated directly to the Internet through the firewall?

If the proxy wasn't there, it looks like it works the same as ssl_bump.

Have you asked the suppliers / authors / vendors of the firewall?
Not yet but I will be doing so today.

If it's the firewall telling you there's a problem, this doesn't entirely feel 
like a Squid question.
Okay, what if we removed the firewall and replaced it with another squid proxy server, where that is also doing ssl_bump. I assume this would work but are there negative implications of doing so?

Appreciate you taking the time.

Thanks,

Will

On 04/01/2022 00:35, Antony Stone wrote:
On Tuesday 04 January 2022 at 01:19:28, Will BMD wrote:

Hey all,

I currently have the following network topology, it's emulating a real
world environment. The proxy is running ssl_bump.

LAN <-> Squid Proxy <-> Firewall <-> Internet

>From the Firewall's perspective all client connections are originating
as the proxy server.
Okay, that makes good sense.

We're wanting to use the https inspect feature of the firewall,
Please give more details?

 - What sort of firewall is this?
 - What does "HTTPS inspect" actually mean?
 - How does the firewall "inspect" HTTPS traffic, which by design is encrypted 
between client and server (neither of which is the firewall)?
 - What does "inspect" mean?  What information is revealed from the inspection 
of the encrypted communication?

but according to our firewall documentation it appears due to the location of
our proxy servers we would be unable to do so.
Why?  Where would the proxy servers need to be instead, in order for this 
inspection to work?

Alternatively, how does/would it work if the proxy were not there, and clients 
communicated directly to the Internet through the firewall?

My question is, if the proxy is behaving as a MITM between itself and
the client, can't the Firewall do the same thing between itself and the
proxy?
I agree.  Have you asked the suppliers / authors / vendors of the firewall?

I suspect it is possible, but might potentially involve a lot of headaches
and a big hit on performance?
Who knows?

If it's the firewall telling you there's a problem, this doesn't entirely feel 
like a Squid question.


Antony.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux