[squid-users] Using dont_verify_peer

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 29 15:12:34 UTC 2016

On 04/28/2016 02:32 PM, Markey, Bruce wrote:

> I’ve been having to actually remove folks from the proxy so they could work.
> I can’t deny users access to the sites they need.
> all I really wanted was to keep stats on sites visited.

Yours and many other passive monitoring use cases call for a
non-intrusive or "stealth" splice. No TLS version enforcement, no
[fatal] certificate validation errors, no errors returned to the user,
just domain name logging and splicing. Supporting this stealthy mode
requires a lot of work, and there is currently no sponsor to get us all
the way to that goal, but I am optimistic that we will eventually get there.

The automated certificate fetching (bug #4305) still needs to be
supported, of course. It is a separate issue.

Meanwhile, besides manually adding untrusted certificates as have been
recommended by others, consider limiting peeking to step1 [in some
cases]. This way, Squid will not see and validate the server
certificate. If most of your traffic has SNI, and users are not trying
to defeat your monitoring, then the logs may still contain enough info
to produce the stats you want, even without seeing certificates.



More information about the squid-users mailing list