Feature request (SSLBump) : generate erroneous certificate if original is option

From: Vincent Miszczak <vmiszczak_at_ankama.com>
Date: Tue, 3 Jan 2012 16:19:08 +0100

Hello,

I'm currently testing Squid 3.1.18 and particularly the dynamic SSL Bump feature.
This is working fine as expected but I think it could be better :

Using dynamic SSL Bump, if the remote certificate has issues, you have 2 choices :
sslproxy_cert_error deny *** or sslproxy_cert_error allow ***

If you allow those errors, you open a huge security breach.
If you deny those errors, the page is denied by Squid and you have a regression in a sense that you cannot choose as a user to consider the risk or not, the proxy has decided for you and you loose freedom. In real life scenarios this is really painfull.
One cool feature would be the possibility (configuration directive) to forward original certificate errors on the dynamically generated certificate. So the user would be prompted about the risk and he could choose to consider it or not.

Thanks for your work.

Regards.

[cid:image001.jpg_at_01CCCA30.BC79C680]

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

image001.jpg
Received on Tue Jan 03 2012 - 15:19:20 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 04 2012 - 12:00:11 MST