[squid-users] ssl-bump doesn't like valid web server

Steve Hill steve at opendium.com
Mon Feb 2 12:09:12 UTC 2015


On 22.01.15 08:14, Amos Jeffries wrote:

> Squid only *generates* server certificates using that helper. If you
> are seeing the log lines "Generating SSL certificate" they are
> incorrect when not using the helper.
>
> The non-helper bumping is limited to using the configured http(s)_port
> cert= and key= contents. In essence only doing client-first or
> peek+splice SSL-bumping styles.

I'm pretty sure this is incorrect - I'm running Squid 3.4 without 
ssl_crtd, configured to bump server-first.  The cert= parameter to the 
http_port line points at a CA certificate.  When visiting an https site 
through the proxy, the certificate sent to the browser is a forged 
version of the server's certificate, signed by the cert= CA.  This 
definitely seems to be server-first bumping - if the server's CA is 
unknown, Squid generates an appropriately broken certificate, etc. as 
you would expect.

Am I missing something?

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com


More information about the squid-users mailing list