Re: [squid-users] ssl_bump and certificate for client

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Oct 2009 12:15:29 +1300

On Mon, 05 Oct 2009 10:59:49 -0400, "Carsten Lührs" <carsten424_at_aol.com>
wrote:
> Hi,
> I configured ssl_bump as follows:
>
> sslproxy_version 1
> ssl_bump allow all
> sslproxy_cert_error deny all
> always_direct allow all
>
> http_port 3128 sslBump cert=/usr/local/squid/etc/cert.pem
>
> My problem is, that the client receives a certificate issued fo the
> squid, not
> for the original server (using the squid CA) - how could I solve this?
>
> Thanks
> ?? Carsten

This is how SSL works. It encrypts the channel between two IP addresses
(Client -> Server).

When you place Squid in the middle (Client->Squid->Server) the SSL
authentication must change so that it authenticates/encrypts the two
different IP connections separately (Client->Squid) and (Squid->Server).

SslBump does that and is why even using it will not allow you to forge
HTTPS requests. In order to use SslBump you require control of the clients
to make them accept the Squid CA. The solution you seek is to push out the
CA signing the Squid certificate to the client browsers.

Amos
Received on Mon Oct 05 2009 - 23:15:32 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 06 2009 - 12:00:02 MDT