FYI people,
When Squid
On 7/01/22 06:33, Grant Taylor wrote:
On 1/4/22 2:35 AM, Will BMD wrote:
HTTP proxy limitation
The system cannot decrypt traffic if an HTTP proxy is positioned
between a client and your managed device, and the client and server
establish a tunneled TLS/SSL connection using the CONNECT HTTP method.
The Handshake Errors undecryptable action determines how the system
handles this traffic.
I ... don't know what to make of this. I would have some questions for
the vendor (Cisco).
This reads to me like the FTDv supports plain-test HTTP on port 80 and
HTTPS on port 443, not CONNECT tunnel intercept/decrypt, nor TLS between
proxies.
So when a proxy like Squid is placed in front:
* it cannot handle being configured as a peer to Squid. Because those
peers get HTTPS as CONNECT tunnels, or the TLS is proxy-proxy TLS not
client-server.
* it probably can handle Squid terminating CONNECT requests and
tunneling directly to port 443. Because that TLS is done by client, not
Squid.
* it probably can handle Squid SSL-Bump splice or bump traffic with
*no* peers configured. Because Squid is then just another client talking
over port 443 to a server. However, you will need Squid to trust the
FTDv signing certificate, just like client for SSL-Bump need to trust
Squid's.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users