[squid-users] ssl-bump doesn't like valid web server

Eliezer Croitoru eliezer at ngtech.co.il
Mon Feb 2 13:23:33 UTC 2015


Hey Steve,

On what OS are you running squid? is it self compiled one?

Eliezer

On 02/02/2015 14:09, Steve Hill wrote:
>
> I'm pretty sure this is incorrect - I'm running Squid 3.4 without
> ssl_crtd, configured to bump server-first.  The cert= parameter to the
> http_port line points at a CA certificate.  When visiting an https site
> through the proxy, the certificate sent to the browser is a forged
> version of the server's certificate, signed by the cert= CA.  This
> definitely seems to be server-first bumping - if the server's CA is
> unknown, Squid generates an appropriately broken certificate, etc. as
> you would expect.
>
> Am I missing something?




More information about the squid-users mailing list