[squid-users] infinite loop on using SSL to connect to squid with ssl-bump

Jason Haar Jason_Haar at trimble.com
Mon Oct 20 23:45:10 UTC 2014


On 21/10/14 12:24, Alex Rousskov wrote:
> On 10/20/2014 04:22 PM, Jason Haar wrote:
>
>> Both Chrome and Firefox support talking to proxies using SSL (wpad type
>> "HTTPS" instead of "PROXY"). 
> I did not know that support was added to major browsers. Any pointers to
> the relevant configuration knobs? Can it be configured without WPAD?

The official Squid wiki is still mostly correct, other than Firefox
started working very recently

http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

So it looks like WPAD only at the moment
> If you remove SslBump and intercept options from https_port, then Squid
> should be able to accept and decode the SSL connection, and receive a
> plain GET request inside it.

Yeah that works just fine.

> Please note that I am not sure Squid can currently *bump* CONNECT
> requests directed at https_port inside an SSL connection.

Ah - well that would explain it then :-)

We run an internal PKI and all our staff have individual client certs.
What I'm wanting to test is if our firefox/chrome users could run their
browsers on the Internet back to our content-filtering Squid proxies via
ssl-proxy-with-client-certs. Hence my testing.

Probably won't work, but worth a shot ;-)



-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list