[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

maple maple.feng.wang at hotmail.com
Mon Nov 9 09:43:07 UTC 2015


Hi Amos,

thanks for confirmation, but I'm not sure if my upstream proxy support
TLS/SSL in that way as you said, but we can use it to proxy both http and
https request, does it mean it support TLS/SSL?

To be honest, I'm not familiar with principle of http/https proxy at all,
for solving this problem, I read some  post about them, http proxy is pretty
straight-forward, but for https proxy, I'm really confused with its
explanation from various posts. if possible, could you help to answer my
some basic questions about it? thanks in advance.

1 let's talk scenario about explicitly using https proxy on client side in
first: it's said that client connects to the proxy and makes a CONNECT
request to setup TCP tunnel between client and server, the https proxy
blindly forwards data in both directions without knowing anything about the
contents. The negotiation of the SSL connection happens over this tunnel,
and the subsequent flow of requests and responses are completely opaque to
the proxy.

it's easy to understand, but it seems there is no need for proxy to hack
https, so why some Man-In-The-Middle proxy like squid make great effort to
intercept these https traffic? what kind of user case will use this
intercept function?

2 for transparent mode, as I understand(please correct me if I'm not right),
it's because that destination hostname/IP is omitted in the CONNECT request,
so the routing mechanism that has performed the redirection keeps track of
the original destination, transparent proxy will fetch the original
destination from routing mechanism,  then perform the same process as
explicitly using proxy above. 

so for case in my scenario, it seems there is also no reason to use
intercept way for hack https with transparent mode. why not squid just act
as forwarder to setup tunnel for https communication between server and
client? what's it for to make big effort to intercept and create fake
certificate?

Best regards.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-with-cache-peer-problem-Handshake-fail-after-Client-Hello-tp4672064p4674448.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list