[squid-users] question about squid and https connection .
Amos Jeffries
squid3 at treenet.co.nz
Thu Jul 12 23:07:24 UTC 2018
On 13/07/18 08:27, Eliezer Croitoru wrote:
> Alex,
>
> Just to be sure:
> Every RSA key and certificate pair regardless to the origin server and the SSL-BUMP enabled proxy can be different.
> If the key would be the exact same one then we will probably have a very big security issue/risk to my understanding (leaving aside DH).
>
> Will it be more accurate to say that just as long as these 200 squid instances(different squid.conf and couple other local variables)
> use the same exact ssl_db cache directory then it's probable that they will use the same certificate.
> Or these 200 squid instances are in SMP mode with 200 workers...
> If these 200 instances do not share memory and certificate cache then there is a possibility that the same site from two different sources
> will serve different certificates(due to the different RSA key which is different).
>
Instances (in terms of how we defined the term "Squid instance") cannot
share memory. They are completely separate processes. Even when in
SMP-aware operation, they are separate process groups. That is why you
have to use the -n name command line parameter to direct signals at
specific instances.
In regards to the certs. The generating of a fake cert is a hard-coded
algorithm - using the inputs Alex mentioned. The only way differences
occur between any two Squid fake certs is when the real origin server
cert given to each of them is different.
In that case you *do* absolutely want the fake ones to differ as well -
even (and especially) when they come from the same origin server.
Think of Squid as copy-n-pasting cert field values from the origin cert
to the fake cert. You wont be far off whats really happening.
Amos
More information about the squid-users
mailing list