[squid-users] Enable SSL bump

Mustafa Mohammad mustafamohammad92 at gmail.com
Tue Jan 24 16:08:00 UTC 2017 

No, It is messaging with HTTPS. If I were to use splice and peek, do I need
a self signed certificate or any type of certificate?

On Tue, Jan 24, 2017 at 12:56 AM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> > By regression...I mean our QA testing server. Let me explain this in
> > detail: I have a squid proxy running which is needed to connect to the
> > server so we can get back if the transaction was approved or not. It is a
> > point of sale application that send transaction data to the server to
> > receive response about the transaction and that's when the problem is
> > occurring when It is trying to communicate to that server. I received
> some
> > help and I think ssl splice and ssl peek might work but I don't know how
> to
> > use them. I don't the rules to apply in this situation.
>
> Whats usually needed in these setups is a reverse-proxy (aka "load
> balancer", CDN frontend, etc.). But for that to be Squid it would
> require the POS application to be messaging with HTTP.
>  Is that the case?
>
> The peek-and-splice form of SSL-Bump MITM might work anyway so long as
> the application is actually using real TLS. But you need to be aware the
> splice action is just blindly tunneling the TLS data through Squid. It
> is not being touched, so anything like CRL issues is a problem between
> the endpoints - Squid cannot help unless its actually HTTP messages,
> then 'bump' action is needed to fully decrypt and modify the TLS.
>
>
> (That said, there have been some weird issues showing up even when the
> tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
> curl rejecting tunneled traffic.)
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170124/b576c4d7/attachment.html>

More information about the squid-users mailing list