[squid-users] Using dont_verify_peer
bmarkey at steinmancommunications.com
Fri Apr 29 17:47:38 UTC 2016
Ok that makes more sense now. Thanks to everyone for the tips. I'm going to work on this over the next few days and see where I end up.
Bruce Markey | Network Security Analyst
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328
From: Alex Rousskov [mailto:rousskov at measurement-factory.com]
Sent: Friday, April 29, 2016 11:13 AM
To: squid-users at lists.squid-cache.org
Cc: Markey, Bruce <bmarkey at steinmancommunications.com>
Subject: Re: [squid-users] Using dont_verify_peer
On 04/28/2016 02:32 PM, Markey, Bruce wrote:
> I’ve been having to actually remove folks from the proxy so they could work.
> I can’t deny users access to the sites they need.
> all I really wanted was to keep stats on sites visited.
Yours and many other passive monitoring use cases call for a non-intrusive or "stealth" splice. No TLS version enforcement, no [fatal] certificate validation errors, no errors returned to the user, just domain name logging and splicing. Supporting this stealthy mode requires a lot of work, and there is currently no sponsor to get us all the way to that goal, but I am optimistic that we will eventually get there.
The automated certificate fetching (bug #4305) still needs to be supported, of course. It is a separate issue.
Meanwhile, besides manually adding untrusted certificates as have been recommended by others, consider limiting peeking to step1 [in some cases]. This way, Squid will not see and validate the server certificate. If most of your traffic has SNI, and users are not trying to defeat your monitoring, then the logs may still contain enough info to produce the stats you want, even without seeing certificates.
More information about the squid-users