Re: [squid-users] Capturing HTTPS traffic

From: James R. Leu <jleu_at_mindspring.com>
Date: Sun, 5 Feb 2012 17:33:00 -0600

If squid is configure to use ICAP and the ICAP server supports
RESMOD would the ICAP server be given the full response unencrypted?

On Mon, Feb 06, 2012 at 12:03:11AM +0100, Henrik Nordström wrote:
> sön 2012-02-05 klockan 14:12 -0500 skrev PS:
>
> > Shouldn't I be able to decrypt the connection between the client and the squid server in order to see the traffic that is being sent to gmail?
>
> Yes, if you are using ssl-bump, and you have access to the temp
> certificate used by Squid.
>
> But
> a) ssldump do not handle AES encryption. There is patches to add AES,
> but these have not made it into an official release yet, if there ever
> will be an updated official release.
> b) or a number of other more modern things such as DH exchanges
>
> so you may need to restrict the list of supported ciphers a bit for
> decryption to be possible,
>
> You may have better luck trying the SSL decoder found in wireshark. But
> it's not as easy to work with.
>
> And remember that you can only decode
> client<->squid_with_known_fake_cert traffic not squid<->server
>
> Another option would be to use mitmproxy. It does the same SSL intercept
> as Squid ssl-bump but for very different purposes. Which tool suits you
> best depends on what it really is you want to accomplish.
>
> Regards
> Henrik
>

-- 
James R. Leu
jleu_at_mindspring.com

Received on Sun Feb 05 2012 - 23:33:08 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 06 2012 - 12:00:01 MST