[squid-users] MITM the MITM
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 7 08:27:28 UTC 2022
FYI people,
When Squid
On 7/01/22 06:33, Grant Taylor wrote:
> On 1/4/22 2:35 AM, Will BMD wrote:
>> HTTP proxy limitation
>>
>> The system cannot decrypt traffic if an HTTP proxy is positioned
>> between a client and your managed device, and the client and server
>> establish a tunneled TLS/SSL connection using the CONNECT HTTP method.
>> The Handshake Errors undecryptable action determines how the system
>> handles this traffic.
>
> I ... don't know what to make of this. I would have some questions for
> the vendor (Cisco).
>
This reads to me like the FTDv supports plain-test HTTP on port 80 and
HTTPS on port 443, not CONNECT tunnel intercept/decrypt, nor TLS between
proxies.
So when a proxy like Squid is placed in front:
* it cannot handle being configured as a peer to Squid. Because those
peers get HTTPS as CONNECT tunnels, or the TLS is proxy-proxy TLS not
client-server.
* it probably can handle Squid terminating CONNECT requests and
tunneling directly to port 443. Because that TLS is done by client, not
Squid.
* it probably can handle Squid SSL-Bump splice or bump traffic with
*no* peers configured. Because Squid is then just another client talking
over port 443 to a server. However, you will need Squid to trust the
FTDv signing certificate, just like client for SSL-Bump need to trust
Squid's.
HTH
Amos
More information about the squid-users
mailing list