[squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

j m acctforjunk at yahoo.com
Thu May 25 11:11:53 UTC 2017

Yay!  It works!  I got the Firefox addon Foxyproxy and checked the little SSL box, and it works perfectly.  

How frustrating is it that Firefox and Chrome don't have this as an easy box to check?  They say it will cause confusion, but how many people even use a proxy to begin with?

      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: j m <acctforjunk at yahoo.com>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org> 
 Sent: Wednesday, May 24, 2017 5:15 PM
 Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?
On 25/05/17 09:01, j m wrote:
> Some more info:  I tried this on Firefox 53 and got more feedback, but 
> still doesn't work.  Per the recommendation on bugzilla (bug 378637), 
> I put https://myaddress:myport <https://myaddress:myport/> into 
> firefox and it gives me a "Your connection is not secure".  So I add 
> the exception, and it then displays the squid message "ERROR The 
> requested URL could not be retrieved", as expected.
> So I add the proxy to Firefox (in Advanced, Network, Settings) as the 
> HTTP Proxy....doesn't work, "The proxy server is refusing 
> connections".  I then put https:// in front of the address, then it's 
> "Server not found".  I then add it as SSL Proxy.  It appears to be 
> working, but really it's simply not using the proxy at all because I 
> stopped squid and it made no difference.

The settings you enter via the Browser GUI are exclusively for setting 
up plain-text proxy connections.

"SSL Proxy" in the Browser GUI means the proxy to send any SSL/TLS 
traffic *through* (using CONNECT tunnel).

> The link you reference on getting Firefox to work with this refers to 
> Firefox 33, so by now I'd think I could directly add the proxy to the 
> normal place in Firefox options?

Unfortunately that would be far too sensible.  It only took ~20 years to 
get them to accept any kind of TLS/SSL security on the Browser<->proxy 
connection in the first place.

I really wish that was a joke, but I've long ago given up on expecting 
sanity from Browser people. For the topic in question, the argument 
behind not adding a simple tick-box to that somewhat hidden GUI popup to 
enable TLS/SSL to a proxy ... is unwaveringly that "changing the UI 
would cause a lot of end users some confusion and pain" or words to that 
affect - and yet I've lost count of how many graphical redesigns have 
happened to the things those end-users are directly seeing and using on 
a daily basis. But one semi-hidden tick box, oh no!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170525/3bafa2bd/attachment-0001.html>

More information about the squid-users mailing list