[squid-users] Enable SSL bump

Mustafa Mohammad mustafamohammad92 at gmail.com
Tue Jan 24 16:08:37 UTC 2017 

What TLS option. I don't know how to configure that?

On Tue, Jan 24, 2017 at 10:08 AM, Mustafa Mohammad <
mustafamohammad92 at gmail.com> wrote:

> No, It is messaging with HTTPS. If I were to use splice and peek, do I
> need a self signed certificate or any type of certificate?
>
> On Tue, Jan 24, 2017 at 12:56 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
>> > By regression...I mean our QA testing server. Let me explain this in
>> > detail: I have a squid proxy running which is needed to connect to the
>> > server so we can get back if the transaction was approved or not. It is
>> a
>> > point of sale application that send transaction data to the server to
>> > receive response about the transaction and that's when the problem is
>> > occurring when It is trying to communicate to that server. I received
>> some
>> > help and I think ssl splice and ssl peek might work but I don't know
>> how to
>> > use them. I don't the rules to apply in this situation.
>>
>> Whats usually needed in these setups is a reverse-proxy (aka "load
>> balancer", CDN frontend, etc.). But for that to be Squid it would
>> require the POS application to be messaging with HTTP.
>>  Is that the case?
>>
>> The peek-and-splice form of SSL-Bump MITM might work anyway so long as
>> the application is actually using real TLS. But you need to be aware the
>> splice action is just blindly tunneling the TLS data through Squid. It
>> is not being touched, so anything like CRL issues is a problem between
>> the endpoints - Squid cannot help unless its actually HTTP messages,
>> then 'bump' action is needed to fully decrypt and modify the TLS.
>>
>>
>> (That said, there have been some weird issues showing up even when the
>> tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
>> curl rejecting tunneled traffic.)
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170124/9ed4aaa8/attachment.html>

More information about the squid-users mailing list