[squid-users] Squid + OpenSSL w/FIPS
Antony Stone
Antony.Stone at squid.open.source.it
Tue Jul 2 21:30:36 UTC 2019
On Tuesday 02 July 2019 at 23:05:27, Cody Cushing wrote:
> Hello, I would like to use Squid as a forward proxy to ensure traffic
> leaving my VM is using a TLS connection negotiated through a client using
> FIPS certified encryption. I have OpenSSL w/FIPS configured on my VM, and
> Squid properly configured as a forward proxy.
So, surely all you need is a firewall to block any direct traffic which attempts
to bypass the TLS client?
> What I do not know is:
> • is this sufficient (does Squid use any available OpenSSL crypto on the
> system)
> • or do I need to compile a custom Squid build referencing the OpenSSL fips
> "modules" (two C libraries)
> • or does Squid reference completely different crypto libraries and neither
> of the above two considerations are even valid
You say you want to use "a TLS connection negotiated through a client using
FIPS certified encryption". What's at the other end of that connection (ie:
what is your VM talking to to create this link)?
Are you saying that you want HTTPS connections from your VM to go only to
remote servers which support this FIPS-certified TLS method, and no other
websites should be accessible?
Or, are you trying to tunnel HTTP and HTTPS traffic from your VM to some trusted
endpoint - if so, what happens to it from there?
Basically, given a connection from your VM to some random website, what part
of the connection are you trying to encrypt in this specific way?
Regards,
Antony.
--
"Life is just a lot better if you feel you're having 10 [small] wins a day
rather than a [big] win every 10 years or so."
- Chris Hadfield, former skiing (and ski racing) instructor
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list