[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

adam900710 adam900710 at gmail.com
Mon Jul 6 13:34:19 UTC 2015


2015-07-06 20:06 GMT+08:00 Amos Jeffries <squid3 at treenet.co.nz>:
> On 6/07/2015 9:30 p.m., adam900710 wrote:
>>
>> Here is some of my experiments:
>> 1) Remove "never_direct"
>> Then ssl_bump works as expected, but all traffic doesn't goes through
>> the SOCKS5 proxy. So a lot of sites I can't access.
>>
>> 2) Use local 8118 proxy
>> That works fine without any problem, but SSL_dump is needed...
>> So just prove privoxy are working.
>>
>> Any clue?
>
>> Also, If I disable "ssl_bump" at http_port line, squid works without
>> any problem just as a forwarder.
>> But that makes no sense anyway.
>
> Makes perfect sense. Would you like anybody to be able to decrypt your
> HTTPS traffic and send it as plain-text wherever they want?
>
> Squid does not permit that. All inbound encrypted traffic must one way
> or another leave upstream only by encrypted channels.
Agree with Yuri, I hate the government (Yeah, especially the f**king
China gov!) and
the evil Chinese one has alreayd tried this trick on gmail some month ago.

That's who forces me to pass the traffic to privoxy, as the Great
Firewall is already
blocking me to reach most sites in the open world.

Also you get a little confused with ssl dump and encryption/authentication.

SSL bump in fact doesn't do the black magic to magically decrypt
everything without cost.
PKI things still makes you know that some one is bump your SSL communication.

So normally with SSL bump, you will see a big browser warning about
the unknown issuer of
the faked certificates.
And normal routine like curl will just abort the connection when it
found the certificate is not valid.

Although the communication lost the encryption, you can still know you
are under monitoring.
And this implement needs you to trust the fake CA.
If one doesn't trust it, just blacklist the fake CA and use tor or
whatever to really hide the trace.

So although the ssl bump destory encryption, but it doesn't destory
authentication.
And the combination of ssl bump and cache peer should be allowed if no
bugs or my configuration error.

Thanks.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list