[squid-users] Enable SSL bump

Mustafa Mohammad mustafamohammad92 at gmail.com
Tue Jan 24 17:07:54 UTC 2017 

I just received the news from my team that squid is working at first but
when they restart the service, It doesn't work. Has anyone encountered
issues like that?

On Tue, Jan 24, 2017 at 12:56 AM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> > By regression...I mean our QA testing server. Let me explain this in
> > detail: I have a squid proxy running which is needed to connect to the
> > server so we can get back if the transaction was approved or not. It is a
> > point of sale application that send transaction data to the server to
> > receive response about the transaction and that's when the problem is
> > occurring when It is trying to communicate to that server. I received
> some
> > help and I think ssl splice and ssl peek might work but I don't know how
> to
> > use them. I don't the rules to apply in this situation.
>
> Whats usually needed in these setups is a reverse-proxy (aka "load
> balancer", CDN frontend, etc.). But for that to be Squid it would
> require the POS application to be messaging with HTTP.
>  Is that the case?
>
> The peek-and-splice form of SSL-Bump MITM might work anyway so long as
> the application is actually using real TLS. But you need to be aware the
> splice action is just blindly tunneling the TLS data through Squid. It
> is not being touched, so anything like CRL issues is a problem between
> the endpoints - Squid cannot help unless its actually HTTP messages,
> then 'bump' action is needed to fully decrypt and modify the TLS.
>
>
> (That said, there have been some weird issues showing up even when the
> tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
> curl rejecting tunneled traffic.)
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170124/e48de408/attachment-0001.html>

More information about the squid-users mailing list