[squid-users] Using a static wildcard certificate with ssl-bump in explicit forward proxy mode
Bill Bernsen
bernsen at gmail.com
Wed Jan 30 18:47:10 UTC 2019
Amos, thank you for the quick response. My original question could use an
example to clarify.
client ------> example.com (HTTPS squid proxy) ------> instance.example.com
(HTTPS server)
The HTTPS squid proxy on example.com has a trusted wildcard certificate for
*.example.com
The HTTPS server on instance.example.com has an untrusted certificate for
instance.example.com
So without MITM, the client issues a CONNECT to squid running on example.com
which does its TLS, authenticates, connects to upstream then goes into
tunneling mode. The client does the TLS handshake with instance.example.com,
receives its untrusted certificate, and isn't happy.
I'm looking for a MITM mode that, instead of requiring a CA that can
dynamically create trusted certs on the fly, will return a wildcard
certificate for all requests (or even better, for any requests matching
hosts in its subdomain). Is that something that exists?
I hacked up my own version of ssl_crtd to serve a static cert and ran into
another wrinkle. Is there a version of squid that supports ssl-bump with
https_port?
On Fri, Jan 25, 2019 at 9:42 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 26/01/19 5:51 am, Bill Bernsen wrote:
> > Hi,
> >
> > I have squid running as an explicit forward proxy on the
> > host example.com <http://example.com/> controlling access to all hosts
> > in *.example.com <http://example.com/>. All the hosts in *.example.com
> > <http://example.com/> have self-signed certificates that I want to
> > appear as trusted to user browsers. I don't have the option of obtaining
> > a trusted CA. I do, however, have a trusted wildcard certificate for
> > *.example.com <http://example.com/> available. Is there a way that I can
> > tell squid to present this static wildcard certificate to clients in
> > lieu of all upstream server certificates?
>
>
> As a forward proxy clients are *not* connecting to any of the
> *.example.com domains. They are connecting to your proxy hostname - and
> telling it to take care of the origin connections. So all clients need
> is trust for the CA which signed the proxy's certificate.
>
> The proxy is the only agent in the path which needs to trust the
> wildcard *.example.com certificate.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190130/634b9ad1/attachment.html>
More information about the squid-users
mailing list