[squid-users] question about squid and https connection .

Eliezer Croitoru eliezer at ngtech.co.il
Thu Jul 12 20:35:46 UTC 2018


Alex,

Just to be sure:
Every RSA key and certificate pair regardless to the origin server and the SSL-BUMP enabled proxy can be different.
If the key would be the exact same one then we will probably have a very big security issue/risk to my understanding (leaving aside DH).

Will it be more accurate to say that just as long as these 200 squid instances(different squid.conf and couple other local variables)
use the same exact ssl_db cache directory  then it's probable that they will use the same certificate.
Or these 200 squid instances are in SMP mode with 200 workers...
If these 200 instances do not share memory and certificate cache then there is a possibility that the same site from two different sources
will serve different certificates(due to the different RSA key which is different).

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Alex Rousskov
Sent: Thursday, July 12, 2018 11:27 PM
To: --Ahmad-- <ahmed.zaeem at netstream.ps>; Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] question about squid and https connection .

On 07/12/2018 01:17 PM, --Ahmad-- wrote:

> if i have pc# 1 and that pc open facebook .
> 
> then i have other pc # 2 and that other pc open facebook .
> 
> 
> now  as we know facebook is https .
> 
> so is the key/ cert that used on pc # 1 is same as cert in pc # 2 to decrypt the fb encrypted traffic ?

Certificates themselves are not used (directly) to decrypt traffic
AFAIK, but yes, both PCs will see the same server certificate (ignoring
CDNs and other complications).



> now in the presence of squid .
> 
> if i used tcp connect method  , will it be different than above ?

If you are not bumping the connection, then both PCs will see the same
real Facebook certificate as if those PCs did not use a proxy.

If you are bumping the connection, then both PCs will see the same fake
certificate generated by Squid.



> say i used 200 proxies in same squid machine and i used to access FB from the same pc same browser .
> 
> will facebook see my cert/key i used to decrypt its traffic ?

If you are asking whether Facebook will know anything about the fake
certificate generated by Squid for clients, then the answer is "no,
unless Facebook runs some special client code to deliver (Squid)
certificate back to Facebook".

In general, the origin server assumes that the client is talking to it
directly. Clients may pin or otherwise restrict certificates that they
trust, but after the connection is successfully established, the server
may assume that it is talking to the client directly. A paranoid server
may deliver special code to double check that assumption, but there are
other, more standard methods to prevent bumping such as certificate
pinning and certificate transparency cervices.



> is the key/cert of FB to decrypt the https content is same on all browsers on all computers ?

If you are asking whether the generated certificates are going to be the
same for all clients, then the answer is "yes, provided all those 200
Squids use the same configuration (including the CA certificate) and
receive the same real certificate from Facebook". Squid's certificate
generation algorithm generates the same certificate given the same
configuration and the same origin server certificate.


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list