[squid-users] SSL Inspection Question

Alex Rousskov rousskov at measurement-factory.com
Fri Sep 30 21:34:28 UTC 2016


On 09/30/2016 03:12 PM, Evan Blackstone wrote:

> Is there any safe way of using SSL-Bump on Squid to decrypt client
> traffic, redirect (via standard HTTP or some other means) to another
> network location, then receive and re-encrypt it before sending it out
> to its ultimate destination? 

You have two options:

1. Write or purchase an eCAP adapter (or an ICAP service) that does what
you want. eCAP and ICAP are the only Squid interfaces to get
[unencrypted] bumped messages out of Squid without modifying Squid.

2. Modify Squid to do what you want. I doubt such modifications would be
officially accepted, but I might be wrong.

The biggest problem with what you want to do is the "then receive" part.
Sending unencrypted traffic to a DPI system is straightforward and there
is at least one eCAP adapter doing that already, but that is a "one way"
"inform only" solution. If you want the traffic to come back to the
adapter (and then to Squid), then you would have to do a lot more work.


> Is this idea insane?

Many would consider SslBump itself "insane"...

IMHO, the security implications of your scheme depend on how that
unencrypted traffic will reach your web filter product. If the security
of the transmission channel is comparable to the security of the web
filter product itself, then you are not really making [the already
insane] thing _much_ worse.


HTH,

Alex.



More information about the squid-users mailing list