RE: [squid-users] Capabilities of Squid as SSL MITMū

From: A G <utopian201_at_hotmail.com>
Date: Sat, 23 Jun 2012 05:01:44 +1200

Thanks Alex and Amos, I'll have a look at those points!

----------------------------------------
> Date: Fri, 22 Jun 2012 10:27:35 -0600
> From: rousskov_at_measurement-factory.com
> To: utopian201_at_hotmail.com
> CC: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Capabilities of Squid as SSL MITMū
>
> On 06/21/2012 10:34 AM, A G wrote:
>
> > I am trying to set up squid as a transparent ssl mitm proxy.
>
> You will need to run trunk with a BumpSslServerFirs patch recently
> posted on squid-dev. The patch implements the following feature that is
> essential for bumping transparent SSL connections in production:
> http://wiki.squid-cache.org/Features/BumpSslServerFirst
>
> In my response, I will assume that you are doing the above.
>
>
> > 1. http_port intercept means squid will place its own ip in the
> > packet sent to the destination. Is this correct?
>
> Yes, although the option means more than that, of course.
>
>
>
> > 2. http_port tproxy means squid will preserve the client's ip in the
> > packet sent to the destination, is this correct?
>
> Yes, although the option means more than that, of course.
>
>
>
> > 3. Does ssl bump work only with CONNECT messages? ie clients must have
> > their browser set to use squid as a proxy.
>
> No. It works for both CONNECT and intercepted transactions.
>
>
> > But http://wiki.squid-cache.org/Features/SslBump also says it can mitm
> > transparently redirected SSL traffic. So ssl bump works in
> > 'transparent/intercept' mode;
>
> Yes, it does, but without BumpSslServerFirst, bumping intercepted
> connections generates too many warnings for production use.
>
>
> > 4. What is the
> > point of using http_port (xyz) ssl-bump if port xyz cannot receive ssl
> > traffic? Wouldn't ssl-bump ONLY be used with https_port, not http_port?
>
> Use http_port for bumping CONNECT requests.
> Use https_port for bumping intercepted SSL connections.
>
>
> > 5.
> > After all this, is it possible to use tproxy with ssl-bump?
>
> Yes.
>
>
> > That is, do
> > SSL man in the middle whilst preserving the client's IP address?
>
> Yes.
>
>
> HTH,
>
> Alex.
                                               
Received on Fri Jun 22 2012 - 17:01:53 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 23 2012 - 12:00:03 MDT