<div dir="ltr">Amos, thank you for the quick response. My original question could use an example to clarify.<div><br></div><div>client ------> <a href="http://example.com">example.com</a> (HTTPS squid proxy) ------> <a href="http://instance.example.com">instance.example.com</a> (HTTPS server)</div><div><br></div><div>The HTTPS squid proxy on <a href="http://example.com">example.com</a> has a trusted wildcard certificate for *.<a href="http://example.com">example.com</a></div><div>The HTTPS server on <a href="http://instance.example.com">instance.example.com</a> has an untrusted certificate for <a href="http://instance.example.com">instance.example.com</a></div><div><br></div><div>So without MITM, the client issues a CONNECT to squid running on <a href="http://example.com">example.com</a> which does its TLS, authenticates, connects to upstream then goes into tunneling mode. The client does the TLS handshake with <a href="http://instance.example.com">instance.example.com</a>, receives its untrusted certificate, and isn't happy.</div><div><br></div><div>I'm looking for a MITM mode that, instead of requiring a CA that can dynamically create trusted certs on the fly, will return a wildcard certificate for all requests (or even better, for any requests matching hosts in its subdomain). Is that something that exists?</div><div><br></div><div>I hacked up my own version of ssl_crtd to serve a static cert and ran into another wrinkle. Is there a version of squid that supports ssl-bump with https_port?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 25, 2019 at 9:42 PM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 26/01/19 5:51 am, Bill Bernsen wrote:<br>
> Hi,<br>
> <br>
> I have squid running as an explicit forward proxy on the<br>
> host <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com/" rel="noreferrer" target="_blank">http://example.com/</a>> controlling access to all hosts<br>
> in *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com/" rel="noreferrer" target="_blank">http://example.com/</a>>. All the hosts in *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
> <<a href="http://example.com/" rel="noreferrer" target="_blank">http://example.com/</a>> have self-signed certificates that I want to<br>
> appear as trusted to user browsers. I don't have the option of obtaining<br>
> a trusted CA. I do, however, have a trusted wildcard certificate for<br>
> *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com/" rel="noreferrer" target="_blank">http://example.com/</a>> available. Is there a way that I can<br>
> tell squid to present this static wildcard certificate to clients in<br>
> lieu of all upstream server certificates?<br>
<br>
<br>
As a forward proxy clients are *not* connecting to any of the<br>
*.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> domains. They are connecting to your proxy hostname - and<br>
telling it to take care of the origin connections. So all clients need<br>
is trust for the CA which signed the proxy's certificate.<br>
<br>
The proxy is the only agent in the path which needs to trust the<br>
wildcard *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> certificate.<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>