[squid-users] Ignore SSL error and splice by ssl::server_name at the same time
Ahmad, Sarfaraz
Sarfaraz.Ahmad at deshaw.com
Wed Jun 20 09:04:18 UTC 2018
Hi,
I need to provide access to a API service exposed on the internet to my clients. That API uses a certificate signed by a private CA.
I don't want to trust that private CA in my proxies (lest it gets abused and I end up trusting certificates in the proxy that I shouldn't be. My clients would be unaware since I am bumping all the TLS connections unless explicitly configured. )
To avoid that I tried ignoring the ssl validation error with sslproxy_cert_error directive and then splicing the connection. But its not working out.
SubjectCN in that services' certificate is "kube-apiserver"
Ignore settings :
acl broken_kubernetes ssl::server_name kube-apiserver
sslproxy_cert_error allow broken_kubernetes
sslproxy_cert_error deny all
Splicing settings:
acl no_ssl_bump_kubernetes ssl::server_name kube-apiserver
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice no_ssl_bump_kubernetes
ssl_bump bump all
Splicing settings are in the lower half of my config.
But I am still getting MITM'ed (bumped) and on the clients, I get a "Not Trusted by MyCA" certificate is being shown. Any ideas ?
Regards,
Sarfaraz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180620/16ebdea3/attachment.html>
More information about the squid-users
mailing list