[squid-users] ssl-bump doesn't like valid web server
Steve Hill
steve at opendium.com
Mon Feb 2 12:09:12 UTC 2015
On 22.01.15 08:14, Amos Jeffries wrote:
> Squid only *generates* server certificates using that helper. If you
> are seeing the log lines "Generating SSL certificate" they are
> incorrect when not using the helper.
>
> The non-helper bumping is limited to using the configured http(s)_port
> cert= and key= contents. In essence only doing client-first or
> peek+splice SSL-bumping styles.
I'm pretty sure this is incorrect - I'm running Squid 3.4 without
ssl_crtd, configured to bump server-first. The cert= parameter to the
http_port line points at a CA certificate. When visiting an https site
through the proxy, the certificate sent to the browser is a forged
version of the server's certificate, signed by the cert= CA. This
definitely seems to be server-first bumping - if the server's CA is
unknown, Squid generates an appropriately broken certificate, etc. as
you would expect.
Am I missing something?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-824568 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-825748 / sip:support at opendium.com
More information about the squid-users
mailing list