[squid-users] How to Configure Proxy Chaining with ssl-bump
michaelchen8176 at gmail.com
Fri Mar 20 13:13:03 UTC 2020
Thanks for your explanation.
Could you instruct me how to install squid v5 based on CentOS 7?
Based on url
CentOS seems not support squid v5.
Amos Jeffries <squid3 at treenet.co.nz> 於 2020年3月20日 週五 下午5:29寫道：
> On 20/03/20 8:27 pm, Michael Chen wrote:
> > Hi Amos,
> > May I know which function Squid v3.5.28 cannot do for my scenario?
> > Because Squid v3.5 still has command of cache_peer and ssl .....
> TLS is a volatile environment, with many changes going on constantly.
> Squid-3 has been deprecated since 2018 and is far behind in support
> needed for current TLS practices.
> Especially when bumping you should always have the latest Squid version.
> This first bit can be tested with Squid-3. It is just about getting a
> secure connection to the peer, any Squid should be able to do that.
> Ensure that the peer proxy is delivering its CA *chain* properly.
> * All the intermediates should be supplied during the server handshake.
> * cache_peer should only need the root CA for that chain. Configured in
> the sslca= or tls-ca= option.
> At this point your Squid should be able to pass traffic to the peer.
> Test that with regular http:// URL requests to your Squid. *Not* HTTPS
> or bumped traffic.
> You can test this following with Squid-3, but do not expect it to work
> very well. Squid-4 is better in a lot of cases, but still not completely.
> Your ssl_bump rules should peek at the client cert, then stare at the
> server cert, then bump the crypto. Like so:
> ssl_bump peek step1
> ssl_bump stare all
> ssl_bump bump all
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users