[squid-users] Ignore SSL error and splice by ssl::server_name at the same time

Ahmad, Sarfaraz Sarfaraz.Ahmad at deshaw.com
Wed Jun 20 09:04:18 UTC 2018


I need to provide access to a API service exposed on the internet to my clients. That API uses a certificate signed by a private CA.
I don't want to trust that private CA in my proxies (lest it gets abused and I end up trusting certificates in the proxy that I shouldn't be.  My clients would be unaware since I am bumping all the TLS connections unless explicitly configured. )
To avoid that I tried ignoring the ssl validation error with  sslproxy_cert_error directive and then splicing the connection. But its not working out.

SubjectCN in that services' certificate is "kube-apiserver"

Ignore settings :

acl broken_kubernetes ssl::server_name kube-apiserver
sslproxy_cert_error allow broken_kubernetes
sslproxy_cert_error deny all

Splicing settings:

acl no_ssl_bump_kubernetes ssl::server_name kube-apiserver
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice no_ssl_bump_kubernetes
ssl_bump bump all

Splicing settings are in the lower half of my config.
But I am still getting MITM'ed (bumped) and on the clients, I get a "Not Trusted by MyCA" certificate is being shown. Any ideas ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180620/16ebdea3/attachment.html>

More information about the squid-users mailing list