Re: Feature request (SSLBump) : generate erroneous certificate if original is option

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Wed, 04 Jan 2012 09:56:29 -0700

On 01/04/2012 02:31 AM, Vincent Miszczak wrote:

> This article relates that it will be available in 3.3.
...
> Do you think this work will be backported to the STABLE branch as you
> did for dynamic SSL bump on 3.1 branch ?

I specified v3.3 on the wiki because v3.2 was closed for new features
when the development was scheduled. If others (including you) decide
that the new features are needed in v3.2, we will port them. Please keep
in mind that while you may want the features in v3.2, others complain
that by adding new code to that release we hurt its stability.

> Are ETA reliable ?

Published ETAs are based on deadlines set by feature sponsors and an
added extra time to polish the code and submit it to squid-dev for
review. The deadlines are usually firm but the added extra time is not
reliable because higher priority projects may intervene before the code
is submitted.

HTH,

Alex.

> -----Message d'origine-----
> De : Alex Rousskov [mailto:rousskov_at_measurement-factory.com]
> Envoyé : mardi 3 janvier 2012 20:12
> À : Vincent Miszczak
> Cc : squid-dev_at_squid-cache.org
> Objet : Re: Feature request (SSLBump) : generate erroneous certificate if original is option
>
> On 01/03/2012 08:19 AM, Vincent Miszczak wrote:
>> Hello,
>>
>>
>>
>> I’m currently testing Squid 3.1.18 and particularly the dynamic SSL
>> Bump feature.
>>
>> This is working fine as expected but I think it could be better :
>>
>>
>>
>> Using dynamic SSL Bump, if the remote certificate has issues, you have
>> 2 choices :
>>
>> sslproxy_cert_error deny *** or sslproxy_cert_error allow ***
>>
>>
>>
>> If you allow those errors, you open a huge security breach.
>>
>> If you deny those errors, the page is denied by Squid and you have a
>> regression in a sense that you cannot choose as a user to consider the
>> risk or not, the proxy has decided for you and you loose freedom. In
>> real life scenarios this is really painfull.
>>
>> One cool feature would be the possibility (configuration directive) to
>> forward original certificate errors on the dynamically generated
>> certificate. So the user would be prompted about the risk and he could
>> choose to consider it or not.
>
> Hi Vincent,
>
> Server certificate mimicking is useful for both valid and broken origin server certificates. This feature is being implemented now:
> http://wiki.squid-cache.org/Features/MimicSslServerCert
>
>
> Cheers,
>
> Alex.
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>
>
Received on Wed Jan 04 2012 - 16:56:54 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 05 2012 - 12:00:07 MST