[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Mon Jul 6 13:57:55 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

And finally:

HTTPS is used for malware transmission - and we can't scan it!, for porn
viewing, for illegal P2P traffic and others.

And we are the paladines in white robes.

06.07.15 19:34, adam900710 пишет:
> 2015-07-06 20:06 GMT+08:00 Amos Jeffries <squid3 at treenet.co.nz>:
>> On 6/07/2015 9:30 p.m., adam900710 wrote:
>>>
>>> Here is some of my experiments:
>>> 1) Remove "never_direct"
>>> Then ssl_bump works as expected, but all traffic doesn't goes through
>>> the SOCKS5 proxy. So a lot of sites I can't access.
>>>
>>> 2) Use local 8118 proxy
>>> That works fine without any problem, but SSL_dump is needed...
>>> So just prove privoxy are working.
>>>
>>> Any clue?
>>
>>> Also, If I disable "ssl_bump" at http_port line, squid works without
>>> any problem just as a forwarder.
>>> But that makes no sense anyway.
>>
>> Makes perfect sense. Would you like anybody to be able to decrypt your
>> HTTPS traffic and send it as plain-text wherever they want?
>>
>> Squid does not permit that. All inbound encrypted traffic must one way
>> or another leave upstream only by encrypted channels.
> Agree with Yuri, I hate the government (Yeah, especially the f**king
> China gov!) and
> the evil Chinese one has alreayd tried this trick on gmail some month ago.
>
> That's who forces me to pass the traffic to privoxy, as the Great
> Firewall is already
> blocking me to reach most sites in the open world.
>
> Also you get a little confused with ssl dump and
encryption/authentication.
>
> SSL bump in fact doesn't do the black magic to magically decrypt
> everything without cost.
> PKI things still makes you know that some one is bump your SSL
communication.
>
> So normally with SSL bump, you will see a big browser warning about
> the unknown issuer of
> the faked certificates.
> And normal routine like curl will just abort the connection when it
> found the certificate is not valid.
>
> Although the communication lost the encryption, you can still know you
> are under monitoring.
> And this implement needs you to trust the fake CA.
> If one doesn't trust it, just blacklist the fake CA and use tor or
> whatever to really hide the trace.
>
> So although the ssl bump destory encryption, but it doesn't destory
> authentication.
> And the combination of ssl bump and cache peer should be allowed if no
> bugs or my configuration error.
>
> Thanks.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVmoliAAoJENNXIZxhPexGtL4H/3/Q6A7Rg4UzN1o/PGJc1rb/
WKzolOZ6Hj810108EQ19okSsoShrkzA1mXeaGOktCcTUfFMwYBnIdt+WV7V8LiZT
4AyrwdBrxREu+hPn0NQWRex4nzobG47aOqVF81npYLp+mioM4J4FWCv0Y9hbglSt
w+IvZhhcyswYR5LP2BiS4dUZMY52O8y0S4HpOe85f3/24/l/pswUoVgSdcHW1Dck
Nq34i0fZ560QiJjJZzAGc9a2Akbq5ppx414bKaCCxG9DyKLO1As793bPIxvIQuQ7
KpiD5bkaKYkyA2XhZ/BJIB2dUSJa7HI4GXOrUjCgXN0XnH8aDLlsgZ8XhXlxJ4o=
=2Fvz
-----END PGP SIGNATURE-----