Re: [squid-users] Re: Transparent proxying HTTPS through Squid

From: Adrian Chadd <adrian@dont-contact.us>
Date: Mon, 7 Jan 2008 16:30:49 +0900

On Mon, Jan 07, 2008, Dumpolid Exeplish wrote:
> Adrian,
>
> How can this be possible? can you explain?

* You can treat the SSL connection as just a TCP tunnel type connection.
  (And if you need to pass it to an upstream proxy, just wrap it in CONNECT.)
* You can then do a few things, like:
  - without breaking the connection:
    - fingerprint the SSL cipher maybe?
    - source/destination IP addresses
    - destination port
    - destination host, if given in the CONNECT request
  - breaking the SSL connection (ie, terminating it and then issuing an SSL connection outbound):
    - well, you've got access to the whole datastream, so anything
    - but you have to play SSL certificate games so your users don't get hounded by their
      browsers about insecure certificates.

Squid-3 is growing something (called "SslBump") which will introduce some of
these features. I'd like to introduce similar functionality in Squid-2 once
the squid-3 code is complete and debugged.

Adrian
Received on Mon Jan 07 2008 - 00:21:57 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST