Hi Amos,
Thanks for your help. By adding
"generate-host-certificates=on" to the config I could see the host
servers' certificates being mimicked.
https_port 3129 intercept generate-host-certificates=on
cert=/etc/squid/ssl_cert/myCA.pem ssl-bump
Regards,
Prasanna
On 2/15/13, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 15/02/2013 2:23 a.m., Prasanna Venkateswaran wrote:
>> Hi,
>> I have been trying to set up squid which can intercept https
>> traffic without client (read it as browser proxy) changes. I am using
>> the latest squid 3.3.1. When I actually open a https site I still see
>> the certificate with the parameters I provided (for myCA.pem) and I
>> dont see any of the original certificate's properties being mimicked.
>> I have listed my config below. Please let me know whether I am missing
>> anything. Pardon me if am overlooking any config. I am relatively new
>> to squid.
>>
>> My iptable config:
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> REDIRECT tcp -- anywhere anywhere tcp
>> dpt:www redir ports 3128
>> REDIRECT tcp -- anywhere anywhere tcp
>> dpt:https redir ports 3129
>>
>>
>> My Squid config:
>>
>> http_access deny all
>> always_direct allow all
>> ssl_bump server-first all
>>
>> # Squid normally listens to port 3128
>> http_port 3128 transparent
>> https_port 3129 intercept cert=/etc/squid/ssl_cert/myCA.pem ssl-bump
>
> Mimic only works when the certificate is being created by Squid.
>
> The above config line is a _static_ certificate configuration. Whatever
> request arrives at squid will be SSL setup using myCA.pem keys - which
> were created by you in advance and are fixed.
>
> What you are needing is a _dynamic_ certificate configuration. With the
> CA certificate, private key= certificate and generate-* SSL options
> enabled on this port to allow Squid to create new certificates as needed.
>
>
> Amos
>
Received on Tue Feb 19 2013 - 13:03:12 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 19 2013 - 12:00:04 MST