On Thu, 23 May 2024 at 18:00, Jonathan Lee <jonathanlee571@xxxxxxxxx> wrote:
I do use ssl bump again it requires certificates installed on the devices, and or some and a splice for the others. You must also add a url list for items that must never be intercepted like banks etc. I agree it is not an easy task, it took me years to get it to work correctly for what I needed. When it does work it works beautifully, you can cache updates and reuse them, you can use clam AV on https traffic. It’s not for everyone it will make you a wizard level 1000 if you can get it going.
Jonathan, can you give me an example of it working?
Oddly, you are replying to a message from Alex that I never received.
Alex, in answer to your questions...
I'm doing some testing against a client's site, they require a custom header to allow my connections through their WAF. I could try to do this manually with all my tools, but it would be easier to just have Squid do it for me and then have the tools use Squid as their proxy. I can tell them to not do cert checking or I can use my own CA and import it into the system store, that is not a problem.
I've tried searching for Squid and sslbump and not found anything useful that works with the current version, that is why I'm asking here, I was hoping someone could point me at an example that would definitely work with the current version of Squid.
Robin
Sent from my iPhone
> On May 23, 2024, at 08:49, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> On 2024-05-22 03:49, Robin Wood wrote:
>
>> I'm trying to work out how to add an extra header to a TLS connection.
>
> I assume that you want to add a header field to an HTTP request or response that is being transmitted inside a TLS connection between a TLS client (e.g., a user browser) and an HTTPS origin server.
>
> Do you control the client that originates that TLS connection (or its OS/environment) or the origin server? If you do not, then what you want is impossible -- TLS encryption exists, in part, to prevent such traffic modifications.
>
> If you control the client that originates that TLS connection (or its OS/environment), then you may be able to, in _some_ cases, add that header by configuring the client (or its OS/environment) to trust you as a Certificate Authority, minting your own X509 certificates, and configuring Squid to perform a "man in the middle" attack on client-server traffic, using your minted certificates. You can search for Squid SslBump to get more information about this feature, but the area is full of insurmountable difficulties and misleading advice. Avoid it if at all possible!
>
>
> HTH,
>
> Alex.
>
>
>> I've found information on how to do it on what I think is the pre-3.5 release, but I can't find any useful information on doing it on the current version.
>> Could someone give me an example or point me at some documentation on how to do it.
>> Thanks
>> Robin
>> _______________________________________________
>> squid-users mailing list
>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
