[squid-users] Transparent proxy with Peek and Splice feature.
Amos Jeffries
squid3 at treenet.co.nz
Wed Nov 26 09:33:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 26/11/2014 7:22 a.m., Vadim Rogoziansky wrote:
> Hello All.
>
> My goal is to do ssl bumping in transparent proxy mode with domain
> exclude possibility. Let me tell you about squid's strange
> behaviour when I'm trying to do it.
>
> In browsers it says something like this: /This server could not
> prove that it is www.ukr.net; its security certificate is
> from212.42.76.253. This may be caused by a misconfiguration or an
> attacker intercepting your connection.//
> //NET::ERR_CERT_COMMON_NAME_INVALID// //Subject: 212.42.76.253// /
> Looks like squid takes the CN from the certificate as IP address of
> the destination domain.
Squid takes the IP address from the TCP packet. Which is all that is
available in NAT intercepted traffic at bumping step #1.
The ACLs you have therefore determine that "bump" action is to happen.
Correct?
The cert details are therefore mimic'ed from what gets delivered by
the server.
It may be that the server is depending on SNI to generate its own
cert, but since Squid deos not have that domain name already an
IP-based cert comes back.
It may also be that some ISP upstream of you is bumping the encryption
with client-first method.
> But, everything works smoothly when I use proxy in non transparent
> mode and put it to the browser directly .
In which case the browser sends domain name to the proxy in its
CONNECT message starting the HTTPS. The possible results are very
different.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUdZ5sAAoJELJo5wb/XPRj0qIIANBjuFvq45hPmcaj/NYL6bza
7ttt5Gn+tn8E5KH7T4wfQhUXr91UIsYWfOswfnVAAlBevIO/iFVoDN5hAOveuhIl
ra/0eGti1EpZ3LHJiAqmo0mHsrz3v9+PAduVrXgUJLyYDiM0xctg0nRhj2u166VX
j0IL3g8CKEw+KiWVJM9HdLaDEz9fYtHBO8UHhKDDE94O9yxScIvB+GAhN4YlTtrE
z65VJkSCEw+3vH6XcrrkF2aEnB20jeEGiV5puO2cPoJpgcg3ic8sMVEfa/Z1qwqa
KCkj2XI28wBCIovCV+AfBhpvW0o8eVFbt4ESodLTmwjUvU+m8zxky/9cjO5kyLE=
=kgug
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list