[squid-users] Squid ssl-bumping: how does squid verify certificates?

[agent_js03]

Hi,

I am kind of a newbie to SSL, and have been tinkering with squid SSL bumping
for https, so bear with me if this question has already been discussed. So
here is my understanding of how HTTPS works: a browser has a sort of local
repository of trusted certificates, correct? And when you access an HTTPS
website it searches through these certificates and determines whether one is
to be trusted or not. So I've set up squid for SSL bumping and have added by
squid certificate to my browser's list of trusted certificates. However, the
way SSL now works is that squid intercepts my HTTPS request and I never
actually see the certificate sent from the original server, correct? So what
I want to know is how does squid know whether the certificate is valid or
not? I am afraid of getting a man-in-the-middle attack since it is squid
that verifies certificates and not my client. Or is my understanding
incorrect? Does squid have this same list of trusted sources and if not can
I set it up myself?



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-ssl-bumping-how-does-squid-verify-certificates-tp4669296.html
Sent from the Squid - Users mailing list archive at Nabble.com.