Re: [squid-users] SSLBump.. could it be used for transparent proxying?

From: Matus UHLAR - fantomas <uhlar_at_fantomas.sk>
Date: Sun, 7 Feb 2010 16:40:02 +0100

> On 01/13/2010 10:30 AM, Dimitri Syuoul wrote:
> > Ive been reading over this new feature. It is unclear to me if this
> > can be used for transparently proxying SSL (by this I mean not
> > configuring any proxy in the computers of the clients.. it is ok if
> > clients get cert warnings).
>
> Yes, SSL Bump can be used in a transparent environment.
>
> Due to a large number of certificate warnings, complex sites that use
> multiple secure servers on one page are barely usable without dynamic
> SSL certificate generation though.

On 27.01.10 11:02, Shawn Wright wrote:
> Can you explain this part please? We currently have a production squid
> 2.6-20 server in non-transparent mode with AD authentication, to proxy
> http and https traffic for 600 users. As part of our migration to
> wireless, we are investigating going to an entirely transparent proxy,
> using WCCP2 on a Cisco C6500 to redirect traffic. I realize we will lose
> authentication, but instead plan to use ACLs based on source VLAN, and
> rely on DHCP/radius logs to track specific requests to user auth where
> necessary (not often).
>
> Our current server sees ~120 req/s with 600 users and a 1Gbps link
> (although usage is typically only 30Mbps sustained). Will SSL Bump and
> dynamic cert generation allow us to replace our current proxy with fully
> transparent on squid 3.1? Does the cert generation result in a performance
> hit?

If you want to proxy HTTPS, you must note that you will break your users'
privacy. They may want to kill and/or sue you for that.

You will have to decrypt/encrypt their connections instead of remote servers
(ordinary https proxying uses tunnelling using CONNECT request). You must
provide certificate(s) for the remote server(s) which you must generate (and
sign by the authority clients will trust) when needed. You can't know the
private key of remote servers, that's why you must generate all the stuff.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Received on Sun Feb 07 2010 - 15:40:07 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 07 2010 - 12:00:03 MST