[squid-users] SSL bumping without faked server certificates

Stefan Kutzke stefan.kutzke at bettermarks.com
Tue Nov 10 18:05:48 UTC 2015


Hi Sebastian,

I will give it a try.

Regards,
Stefan

Am Dienstag, den 10.11.2015, 14:27 +0000 schrieb Sebastian Kirschner:
> Hi Stefan,
> 
> I think it would be better to peek at step1 (Then you have the Client
> SNI) and at step2 you could bump or splice.
> Your config 
> > My assumption is that I have to use in Squid's config:
> > https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt>
> > key=<server.key>
> > acl MYSITE ssl:server_name .mydomain.com
> > ssl_bump bump MYSITE
> > ssl_bump splice all
> 
> A better way might be
> # acl step1 at_step SslBump1
> # acl MYSITE ssl:server_name .mydomain.com
> #
> # ssl_bump peek step1
> # ssl_bump bump MYSITE
> # ssl_bump splice all
> 
> Best Regards
> Sebastian
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list