[squid-users] using squid3 without certificate

Mon Jul 11 22:09:11 UTC 2016

On Monday 11 July 2016 at 23:07:06, HackXBack wrote:

> Is there any news for using squid3 for caching https connections without
> install certificates in client browser manually ?

Yes, it's impossible.

The client needs to see a server certificate signed by a trusted CA.

If Squid is going to intercept (which I infer from your question) HTTPS 
connections, it has to present a certificate to the client which it has created 
on-the-fly for the destination server and which is acceptable to the client.

To cerate such certificates on-the-fly, Squid needs to have a CA certificate and 
a private signing key, to create new certificates trusted by any client which 
trust that CA.

If it were able to do that using any of the CA certificates already installed 
and trusted by standard clients, then Squid would be able to fake a certificate 
for (almost) any site on the Internet, thus destroying the HTTPS trust model.

That ain't gonna happen.

Therefore the only way to do HTTPS interception is to create a local CA and 
install that CA's certificate on all clients which need to use that Squid.

The whole point is that HTTPS interception is a MITM "attack" (I use the term 
slightly loosely), and therefore no browser is going to let you get away with 
it lightly.

Hope that helps,

Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

                                                   Please reply to the list;
                                                         please *don't* CC me.