[squid-users] using squid3 without certificate
Antony Stone
Antony.Stone at squid.open.source.it
Mon Jul 11 22:09:11 UTC 2016
On Monday 11 July 2016 at 23:07:06, HackXBack wrote:
> Is there any news for using squid3 for caching https connections without
> install certificates in client browser manually ?
Yes, it's impossible.
The client needs to see a server certificate signed by a trusted CA.
If Squid is going to intercept (which I infer from your question) HTTPS
connections, it has to present a certificate to the client which it has created
on-the-fly for the destination server and which is acceptable to the client.
To cerate such certificates on-the-fly, Squid needs to have a CA certificate and
a private signing key, to create new certificates trusted by any client which
trust that CA.
If it were able to do that using any of the CA certificates already installed
and trusted by standard clients, then Squid would be able to fake a certificate
for (almost) any site on the Internet, thus destroying the HTTPS trust model.
That ain't gonna happen.
Therefore the only way to do HTTPS interception is to create a local CA and
install that CA's certificate on all clients which need to use that Squid.
The whole point is that HTTPS interception is a MITM "attack" (I use the term
slightly loosely), and therefore no browser is going to let you get away with
it lightly.
Hope that helps,
Antony.
--
Tinned food was developed for the British Navy in 1813.
The tin opener was not invented until 1858.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list