[squid-users] Ignore SSL error and splice by ssl::server_name at the same time
Sarfaraz.Ahmad at deshaw.com
Wed Jun 20 09:04:18 UTC 2018
I need to provide access to a API service exposed on the internet to my clients. That API uses a certificate signed by a private CA.
I don't want to trust that private CA in my proxies (lest it gets abused and I end up trusting certificates in the proxy that I shouldn't be. My clients would be unaware since I am bumping all the TLS connections unless explicitly configured. )
To avoid that I tried ignoring the ssl validation error with sslproxy_cert_error directive and then splicing the connection. But its not working out.
SubjectCN in that services' certificate is "kube-apiserver"
Ignore settings :
acl broken_kubernetes ssl::server_name kube-apiserver
sslproxy_cert_error allow broken_kubernetes
sslproxy_cert_error deny all
acl no_ssl_bump_kubernetes ssl::server_name kube-apiserver
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice no_ssl_bump_kubernetes
ssl_bump bump all
Splicing settings are in the lower half of my config.
But I am still getting MITM'ed (bumped) and on the clients, I get a "Not Trusted by MyCA" certificate is being shown. Any ideas ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users