[squid-users] MITM the MITM
Will BMD
will at brainmeltdown.net
Tue Jan 4 09:35:35 UTC 2022
Hey Antony,
Thanks for the quick response.
> - What sort of firewall is this?
The firewall is a Cisco FTDv 6.6.
> - What does "HTTPS inspect" actually mean?
> - How does the firewall "inspect" HTTPS traffic, which by design is encrypted
> between client and server (neither of which is the firewall)?
> - What does "inspect" mean? What information is revealed from the inspection
> of the encrypted communication?
It's doing something they call 'decrypt and resign'. Similar to how
ssl_bump works, so would putting the firewall certificate on the Squid
server's trusted certificates source be enough?
> Why? Where would the proxy servers need to be instead, in order for this
> inspection to work?
Good question, their documentation says the following:
HTTP proxy limitation
The system cannot decrypt traffic if an HTTP proxy is positioned
between a client and your managed device, and the client and server
establish a tunneled TLS/SSL connection using the CONNECT HTTP
method. The Handshake Errors undecryptable action determines how the
system handles this traffic.
> Alternatively, how does/would it work if the proxy were not there, and clients
> communicated directly to the Internet through the firewall?
If the proxy wasn't there, it looks like it works the same as ssl_bump.
> Have you asked the suppliers / authors / vendors of the firewall?
Not yet but I will be doing so today.
> If it's the firewall telling you there's a problem, this doesn't entirely feel
> like a Squid question.
Okay, what if we removed the firewall and replaced it with another squid proxy server, where that is also doing ssl_bump. I assume this would work but are there negative implications of doing so?
Appreciate you taking the time.
Thanks,
Will
On 04/01/2022 00:35, Antony Stone wrote:
> On Tuesday 04 January 2022 at 01:19:28, Will BMD wrote:
>
>> Hey all,
>>
>> I currently have the following network topology, it's emulating a real
>> world environment. The proxy is running ssl_bump.
>>
>> LAN <-> Squid Proxy <-> Firewall <-> Internet
>>
>> From the Firewall's perspective all client connections are originating
>> as the proxy server.
> Okay, that makes good sense.
>
>> We're wanting to use the https inspect feature of the firewall,
> Please give more details?
>
> - What sort of firewall is this?
> - What does "HTTPS inspect" actually mean?
> - How does the firewall "inspect" HTTPS traffic, which by design is encrypted
> between client and server (neither of which is the firewall)?
> - What does "inspect" mean? What information is revealed from the inspection
> of the encrypted communication?
>
>> but according to our firewall documentation it appears due to the location of
>> our proxy servers we would be unable to do so.
> Why? Where would the proxy servers need to be instead, in order for this
> inspection to work?
>
> Alternatively, how does/would it work if the proxy were not there, and clients
> communicated directly to the Internet through the firewall?
>
>> My question is, if the proxy is behaving as a MITM between itself and
>> the client, can't the Firewall do the same thing between itself and the
>> proxy?
> I agree. Have you asked the suppliers / authors / vendors of the firewall?
>
>> I suspect it is possible, but might potentially involve a lot of headaches
>> and a big hit on performance?
> Who knows?
>
> If it's the firewall telling you there's a problem, this doesn't entirely feel
> like a Squid question.
>
>
> Antony.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220104/f7cca6b4/attachment-0001.htm>
More information about the squid-users
mailing list