Date: Tue, 3 Jan 2012 16:19:08 +0100
Hello,
I'm currently testing Squid 3.1.18 and particularly the dynamic SSL Bump feature.
This is working fine as expected but I think it could be better :
Using dynamic SSL Bump, if the remote certificate has issues, you have 2 choices :
sslproxy_cert_error deny *** or sslproxy_cert_error allow ***
If you allow those errors, you open a huge security breach.
If you deny those errors, the page is denied by Squid and you have a regression in a sense that you cannot choose as a user to consider the risk or not, the proxy has decided for you and you loose freedom. In real life scenarios this is really painfull.
One cool feature would be the possibility (configuration directive) to forward original certificate errors on the dynamically generated certificate. So the user would be prompted about the risk and he could choose to consider it or not.
Thanks for your work.
Regards.
[cid:image001.jpg_at_01CCCA30.BC79C680]
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
