Search squid archive

Re: MITM the MITM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



FYI people,

When Squid

On 7/01/22 06:33, Grant Taylor wrote:
On 1/4/22 2:35 AM, Will BMD wrote:
HTTP proxy limitation

The system cannot decrypt traffic if an HTTP proxy is positioned between a client and your managed device, and the client and server establish a tunneled TLS/SSL connection using the CONNECT HTTP method. The Handshake Errors undecryptable action determines how the system handles this traffic.

I ... don't know what to make of this.  I would have some questions for the vendor (Cisco).


This reads to me like the FTDv supports plain-test HTTP on port 80 and HTTPS on port 443, not CONNECT tunnel intercept/decrypt, nor TLS between proxies.

So when a proxy like Squid is placed in front:

* it cannot handle being configured as a peer to Squid. Because those peers get HTTPS as CONNECT tunnels, or the TLS is proxy-proxy TLS not client-server.

* it probably can handle Squid terminating CONNECT requests and tunneling directly to port 443. Because that TLS is done by client, not Squid.

* it probably can handle Squid SSL-Bump splice or bump traffic with *no* peers configured. Because Squid is then just another client talking over port 443 to a server. However, you will need Squid to trust the FTDv signing certificate, just like client for SSL-Bump need to trust Squid's.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux