[squid-users] Ignore SSL error and splice by ssl::server_name at the same time

Ahmad, Sarfaraz Sarfaraz.Ahmad at deshaw.com
Wed Jun 20 09:55:12 UTC 2018

Forgot to add. Remote IP addresses are not expected to remain constant. So I cannot build ACLs that way. So ssl::server_name is the only other hope.

From: Ahmad, Sarfaraz
Sent: Wednesday, June 20, 2018 2:34 PM
To: 'squid-users at lists.squid-cache.org' <squid-users at lists.squid-cache.org>
Subject: Ignore SSL error and splice by ssl::server_name at the same time


I need to provide access to a API service exposed on the internet to my clients. That API uses a certificate signed by a private CA.
I don't want to trust that private CA in my proxies (lest it gets abused and I end up trusting certificates in the proxy that I shouldn't be.  My clients would be unaware since I am bumping all the TLS connections unless explicitly configured. )
To avoid that I tried ignoring the ssl validation error with  sslproxy_cert_error directive and then splicing the connection. But its not working out.

SubjectCN in that services' certificate is "kube-apiserver"

Ignore settings :

acl broken_kubernetes ssl::server_name kube-apiserver
sslproxy_cert_error allow broken_kubernetes
sslproxy_cert_error deny all

Splicing settings:

acl no_ssl_bump_kubernetes ssl::server_name kube-apiserver
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice no_ssl_bump_kubernetes
ssl_bump bump all

Splicing settings are in the lower half of my config.
But I am still getting MITM'ed (bumped) and on the clients, I get a "Not Trusted by MyCA" certificate is being shown. Any ideas ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180620/d6e15796/attachment-0001.html>

More information about the squid-users mailing list