[squid-users] Let Squid use SSL certificate for a parent cache peer

Antony Stone Antony.Stone at squid.open.source.it
Tue May 5 10:26:58 UTC 2020


On Tuesday 05 May 2020 at 12:21:19, mariolatif741 wrote:

> The purpose of proxy A is that its the proxy that will be given to my
> clients. The purpose of all what I am doing is to let my clients use proxy
> B indirectly through proxy A (so they can use proxy B without installing
> the CA certificate)

Won't work.

If you are doing HTTPS / SSL / TLS interception *at any point* in the chain 
between the client and the real server, then the machine doing the 
interception is going to have to generate a fake certificate for what it sends 
back to the client (no matter whether that passes through an intermediate 
proxy or not), therefore the client needs to have the fake CA certificate 
installed in order to trust what it receives.

There is no way for the client to get the "real" certificate from the "real" 
server if a machine in between intercepts and decrypts the communication.  If 
there were, TLS security would be meaningless.

Regards,


Antony.

-- 
"Measuring average network latency is about as useful as measuring the mean 
temperature of patients in a hospital."

 - Stéphane Bortzmeyer

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list