[squid-users] How to make sslbump'ing more robust? (option to continue?)

Alex Rousskov rousskov at measurement-factory.com
Thu May 11 16:19:39 UTC 2017


On 05/10/2017 11:15 PM, L A Walsh wrote:
> I tried accessing a site that had an expired certificate today

> In going through squid, I got [a Squid error page]

> But trying the same page through IE, I got [IE error page with]
> Continue to this website (not recommended).

> Is there any way to put up some similar page to describe the problem,
> and most importantly, allow the connection to continue at user
> discretion?

Yes, there is a way. Your options include:

1. Tell Squid to ignore expired certificates errors. Squid will then
mimic the expired certificate while allowing the client traffic. The
client should then detect the expired (fake) certificate and may offer
the user to bypass the problem. However, if the client is not smart
enough, it may silently allow the connection to an attacker. In general,
not all clients are smart browsers (and not all users are smart enough
not to bypass warnings that should not be bypassed). It is your decision
who to delegate certificate freshness checks to. By default, Squid does
them (and smart browsers do them as well). This is not so much about
robustness but mostly about security.

2.1 Customize Squid error page(s). You can make them look almost exactly
like the browser error pages if you want.

2.2. Add user-driven error bypass to #2.1. Write Squid helper scripts
(at least!) that convert user clicking a link in a Squid-generated error
page to Squid ignoring the expired certificate error and generating a
fresh fake certificate (instead of the expired one). Implementing this
well is difficult, but, AFAICT, possible.

For more details and starting points, please see error_directory,
sslproxy_cert_error, sslproxy_cert_adapt, and external_acl_type in
squid.conf.documented.


HTH,

Alex.



More information about the squid-users mailing list