[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue May 19 13:24:42 UTC 2020


>On 18/05/20 10:15 am, David Touzeau wrote:
>> Hi we want to use squid as * * * Secure Proxy * * * using https_port
>> We have tested major browsers and it seems working good.
>>
>> To make it work, we need to deploy the proxy certificate on all browsers
>> to make the secure connection running.
>>
>> In this case, squid forward requests without decrypting them.because
>> ssl-bump is not added.
>>
>> But Adding the ssl-bump in https_port is not permitted :
>>
>> "sl-bump on https_port requires tproxy/intercept which is missing"
>>
>> why bumping is not allowed ?

On 19.05.20 23:15, Amos Jeffries wrote:
>Because origin server and explicit proxy traffic are mutually exclusive
>syntax at the HTTP level, and use different types of SSL certificate at
>the TLS level.
>
>A "Secure proxy" receives explicit-proxy HTTP traffic over TLS. That
>traffic gets decrypted normally on receipt by the https_port, using a
>proxy server certificate.
>
>SSL-Bump auto-generates a server certificate to decrypt with, and
>expects origin form HTTP syntax once decrypted.

David, note that requiring browsers to connect to your proxy over encrypted
(https) connection, and then decrypting tunnels to real server will lower
the clients' security:
Clients will talk HTTPS to proxy, but proxy to server connection might be as
well unencrypted (or, decrypted by proxy).
This makes thinge like SSL authentication impossible.
I understand that you might scan connections for viruses or disabled
content, but the security will be harmed.

>HTTPS traffic as we know it (CONNECT tunnels to port 443) might still be
>sent to a secure proxy. In which case there are two layers of encryption
>nested inside each other. Decrypting the interior layer of at is not yet
>supported by Squid.

so, this is the real problem :-)


-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.


More information about the squid-users mailing list