[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

Yuri Voinov yvoinov at gmail.com
Mon Jul 6 13:48:53 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
And also:

As long as you stay in the white robes, the whole world supports the
illusion of security HTTPS. The world has changed in the eyes of the
past three years. And by the way, your branch 3.4 has long been used in
commercial solutions. Doing the bump. The illusion of security is much
worse insecurity. Is not it time to admit it?

06.07.15 19:34, adam900710 пишет:
> 2015-07-06 20:06 GMT+08:00 Amos Jeffries <squid3 at treenet.co.nz>:
>> On 6/07/2015 9:30 p.m., adam900710 wrote:
>>>
>>> Here is some of my experiments:
>>> 1) Remove "never_direct"
>>> Then ssl_bump works as expected, but all traffic doesn't goes through
>>> the SOCKS5 proxy. So a lot of sites I can't access.
>>>
>>> 2) Use local 8118 proxy
>>> That works fine without any problem, but SSL_dump is needed...
>>> So just prove privoxy are working.
>>>
>>> Any clue?
>>
>>> Also, If I disable "ssl_bump" at http_port line, squid works without
>>> any problem just as a forwarder.
>>> But that makes no sense anyway.
>>
>> Makes perfect sense. Would you like anybody to be able to decrypt your
>> HTTPS traffic and send it as plain-text wherever they want?
>>
>> Squid does not permit that. All inbound encrypted traffic must one way
>> or another leave upstream only by encrypted channels.
> Agree with Yuri, I hate the government (Yeah, especially the f**king
> China gov!) and
> the evil Chinese one has alreayd tried this trick on gmail some month ago.
>
> That's who forces me to pass the traffic to privoxy, as the Great
> Firewall is already
> blocking me to reach most sites in the open world.
>
> Also you get a little confused with ssl dump and
encryption/authentication.
>
> SSL bump in fact doesn't do the black magic to magically decrypt
> everything without cost.
> PKI things still makes you know that some one is bump your SSL
communication.
>
> So normally with SSL bump, you will see a big browser warning about
> the unknown issuer of
> the faked certificates.
> And normal routine like curl will just abort the connection when it
> found the certificate is not valid.
>
> Although the communication lost the encryption, you can still know you
> are under monitoring.
> And this implement needs you to trust the fake CA.
> If one doesn't trust it, just blacklist the fake CA and use tor or
> whatever to really hide the trace.
>
> So although the ssl bump destory encryption, but it doesn't destory
> authentication.
> And the combination of ssl bump and cache peer should be allowed if no
> bugs or my configuration error.
>
> Thanks.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVmodEAAoJENNXIZxhPexGK10IAImDjOVFy+W+v1IFKg8KVZzW
dbdQu00RnpOxKyEf9mQHb27DX674mr7LxxOHmXEpttPd2EdRERVveViJNOw0Hs1B
LeSeqp9D9ZvP4lqyVLdvJTqCzvF1TbFKF7Xc8S5olUrI4yOsvDIdpLqZ3emFqIQd
rXgdM8FJtxTMf/qgPfkJMfVS8zyo1CMeAxlMayTzwdvk6E7IGUk2CyEG7XKDjzrd
Lp89qUk6vpuzHoirVefFKq4M/TPLtSeL1647MiIP5L5Do6nREYXNlYn5IywZTEQC
6rn81G+g+vIbRdASBPtVQ1tWI6HD3oD9j2965DNdgIkmjwfG47Kotam6tHftBwA=
=qyX/
-----END PGP SIGNATURE-----



More information about the squid-users mailing list