Re: [squid-users] dynamic ssl certificate generation - ip addresses
On 1/11/2013 5:11 p.m., Lennert Rienau wrote: Hi, i want squid to create dynamic ssl certificates in intercept mode, which works, but squid uses ip-addresses for the certificates of the site, not the host name. Does anybody know why this happens? Because you use client-first bumping on intercepted traffic. The only details Squid has at that point are the IP address and port the clients ws connecting to. You need server-first bumping to contact the server and find out what domain(s) its certificate indicate. Amos
Re: [squid-users] dynamic ssl certificate generation - ip addresses
Because you use client-first bumping on intercepted traffic. The only details Squid has at that point are the IP address and port the clients ws connecting to. You need server-first bumping to contact the server and find out what domain(s) its certificate indicate. Thank you for your anwser, when i change it to ssl-server-first mode this error appears: FATAL: unknown ssl_bump mode: ssl-server-first. Should i apply this patch: http://www.squid-cache.org/mail-archive/squid-dev/201207/att-0144/BumpSslServerFirst-t11-Amos-requests-part.patch or is there another workaround? i run squid 3.3.9. Thanks!
Re: [squid-users] dynamic ssl certificate generation - ip addresses
On 11/01/2013 08:34 AM, Lennert Rienau wrote: Because you use client-first bumping on intercepted traffic. The only details Squid has at that point are the IP address and port the clients ws connecting to. You need server-first bumping to contact the server and find out what domain(s) its certificate indicate. Thank you for your anwser, when i change it to ssl-server-first mode this error appears: FATAL: unknown ssl_bump mode: ssl-server-first. It is server-first not ssl-server-first. Please read squid.conf.documented description of ssl_bump or http://www.squid-cache.org/Doc/config/ssl_bump/ Thank you, Alex. Should i apply this patch: http://www.squid-cache.org/mail-archive/squid-dev/201207/att-0144/BumpSslServerFirst-t11-Amos-requests-part.patch or is there another workaround? i run squid 3.3.9. Thanks!
[squid-users] dynamic ssl certificate generation - ip addresses
Hi, i want squid to create dynamic ssl certificates in intercept mode, which works, but squid uses ip-addresses for the certificates of the site, not the host name. Does anybody know why this happens? squid.conf: cache_effective_user squid cache_effective_group squid #acl localhost src 127.0.0.1/32 ::1 acl localnet src 192.168.42.0/24 acl blocknet src 192.168.42.10-192.168.42.50 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ssl_bump client-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER always_direct allow all http_access allow all http_port 192.168.42.1:3128 intercept sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/ssl_db -M 4MB sslcrtd_children 5 https_port 192.168.42.1:3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem Thank you!
[squid-users] Dynamic SSL Certificate Generation
I am trying to get SSL bumping to work on my CentOS system. I am using these options in my squid.conf http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5 Here is the output of cache.log 2012/11/24 00:57:39| Starting Squid Cache version 3.2.3 for x86_64-unknown-linux-gnu... 2012/11/24 00:57:39| Process ID 53204 2012/11/24 00:57:39| Process Roles: master worker 2012/11/24 00:57:39| With 1024 file descriptors available 2012/11/24 00:57:39| Initializing IP Cache... 2012/11/24 00:57:39| DNS Socket created at [::], FD 5 2012/11/24 00:57:39| DNS Socket created at 0.0.0.0, FD 6 2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf 2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf 2012/11/24 00:57:39| Adding nameserver 192.168.253.2 from /etc/resolv.conf 2012/11/24 00:57:39| helperOpenServers: Starting 5/5 'ssl_crtd' processes (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. 2012/11/24 00:57:39| Logfile: opening log daemon:/var/log/access.log 2012/11/24 00:57:39| Logfile Daemon: opening log /var/log/access.log 2012/11/24 00:57:39| Store logging disabled 2012/11/24 00:57:39| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2012/11/24 00:57:39| Target number of buckets: 1008 2012/11/24 00:57:39| Using 8192 Store buckets 2012/11/24 00:57:39| Max Mem size: 262144 KB 2012/11/24 00:57:39| Max Swap size: 0 KB 2012/11/24 00:57:39| Using Least Load store dir selection 2012/11/24 00:57:39| Set Current Directory to /var/cache/squid (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. 2012/11/24 00:57:39| Loaded Icons. 2012/11/24 00:57:39| HTCP Disabled. 2012/11/24 00:57:39| Squid plugin modules loaded: 0 2012/11/24 00:57:39| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9 2012/11/24 00:57:39| WARNING: ssl_crtd #1 exited 2012/11/24 00:57:39| Too few ssl_crtd processes are running (need 1/5) 2012/11/24 00:57:39| Closing HTTP port [::]:3128 2012/11/24 00:57:39| storeDirWriteCleanLogs: Starting... 2012/11/24 00:57:39| Finished. Wrote 0 entries. 2012/11/24 00:57:39| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ssl_crtd helpers are crashing too rapidly, need help! Squid Cache (Version 3.2.3): Terminated abnormally. CPU Usage: 0.051 seconds = 0.023 user + 0.028 sys Maximum Resident Size: 44192 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena: 4908 KB Ordinary blocks: 4848 KB 8 blks Small blocks: 0 KB 1 blks Holding blocks: 664 KB 2 blks Free Small blocks: 0 KB Free Ordinary blocks: 59 KB Total in use: 5512 KB 112% Total free: 59 KB 1% I see that it complains about the certificate db which is not initialized, so I run: [root@localhost ssl_cert]# /usr/lib/squid/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db Initialization SSL db... /usr/lib/squid/ssl_crtd: Cannot create /usr/local/squid/var/lib/ssl_db I have the correct ownership and file permissions set to /usr/local/squid/var/lib/ssl_db [root@localhost ssl_cert]# ls -l /usr/local/squid/var/lib/ total 4 drwxr-xr-x. 2 proxy proxy 4096 Nov 24 00:48 ssl_db How can I get this to work?
Re: [squid-users] Dynamic SSL Certificate Generation
On 25/11/2012 6:57 a.m., Aleksandr Tatarinov wrote: I am trying to get SSL bumping to work on my CentOS system. I am using these options in my squid.conf http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5 Here is the output of cache.log 2012/11/24 00:57:39| Starting Squid Cache version 3.2.3 for x86_64-unknown-linux-gnu... 2012/11/24 00:57:39| Process ID 53204 2012/11/24 00:57:39| Process Roles: master worker 2012/11/24 00:57:39| With 1024 file descriptors available 2012/11/24 00:57:39| Initializing IP Cache... 2012/11/24 00:57:39| DNS Socket created at [::], FD 5 2012/11/24 00:57:39| DNS Socket created at 0.0.0.0, FD 6 2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf 2012/11/24 00:57:39| Adding domain localdomain from /etc/resolv.conf 2012/11/24 00:57:39| Adding nameserver 192.168.253.2 from /etc/resolv.conf 2012/11/24 00:57:39| helperOpenServers: Starting 5/5 'ssl_crtd' processes (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. 2012/11/24 00:57:39| Logfile: opening log daemon:/var/log/access.log 2012/11/24 00:57:39| Logfile Daemon: opening log /var/log/access.log 2012/11/24 00:57:39| Store logging disabled 2012/11/24 00:57:39| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2012/11/24 00:57:39| Target number of buckets: 1008 2012/11/24 00:57:39| Using 8192 Store buckets 2012/11/24 00:57:39| Max Mem size: 262144 KB 2012/11/24 00:57:39| Max Swap size: 0 KB 2012/11/24 00:57:39| Using Least Load store dir selection 2012/11/24 00:57:39| Set Current Directory to /var/cache/squid (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. (ssl_crtd): Uninitialized SSL certificate database directory: /usr/local/squid/var/lib/ssl_db. To initialize, run ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db. 2012/11/24 00:57:39| Loaded Icons. 2012/11/24 00:57:39| HTCP Disabled. 2012/11/24 00:57:39| Squid plugin modules loaded: 0 2012/11/24 00:57:39| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9 2012/11/24 00:57:39| WARNING: ssl_crtd #1 exited 2012/11/24 00:57:39| Too few ssl_crtd processes are running (need 1/5) 2012/11/24 00:57:39| Closing HTTP port [::]:3128 2012/11/24 00:57:39| storeDirWriteCleanLogs: Starting... 2012/11/24 00:57:39| Finished. Wrote 0 entries. 2012/11/24 00:57:39| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ssl_crtd helpers are crashing too rapidly, need help! Squid Cache (Version 3.2.3): Terminated abnormally. CPU Usage: 0.051 seconds = 0.023 user + 0.028 sys Maximum Resident Size: 44192 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:4908 KB Ordinary blocks: 4848 KB 8 blks Small blocks: 0 KB 1 blks Holding blocks: 664 KB 2 blks Free Small blocks: 0 KB Free Ordinary blocks: 59 KB Total in use:5512 KB 112% Total free:59 KB 1% I see that it complains about the certificate db which is not initialized, so I run: [root@localhost ssl_cert]# /usr/lib/squid/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db Initialization SSL db... /usr/lib/squid/ssl_crtd: Cannot create /usr/local/squid/var/lib/ssl_db I have the correct ownership and file permissions set to /usr/local/squid/var/lib/ssl_db [root@localhost ssl_cert]# ls -l /usr/local/squid/var/lib/ total 4 drwxr-xr-x. 2 proxy proxy 4096 Nov 24 00:48 ssl_db How can I get this to work? group/other do not have write permissions so root cannot create things in there. Try running the tool as the proxy user. Amos
[squid-users] dynamic SSL certificate generation not working in 3.3
Hey All, I am trying to use the dynamic SSL certificate generation in 3.3. My squid setup is an interception proxy setup. So dynamic generation in interception is only possible after bump-server first available in 3.3. I have added the Root CA certificate(generated by myself) to the browser. The problem is that squid is still giving the same certificate to the client which causes warnings on the browser. By same i mean the certificate that i created my self which does not have the correct destination domain. Looking at the presented certificate in the browser, i can see the fields that i used to create the certificate. Effectively this means that dynamic certificate generation is not working. Also certificates are supposed to be cached in the ssl_db by the sslcrt_program. There are no certificates being generated in that path(/usr/local/squid-3.3/var/lib/ssl_db/certs). I can also see the 5 children of sslcrtd running. But seems they are not doing their job. My config is: https_port is the involved port since i am in interception mode. ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ##DYnamic certificate portion sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s /usr/local/squid-3.3/var/lib/ssl_db -M 4MB sslcrtd_children 5 http_port 192.168.8.40:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem http_port 192.168.8.40:8080 https_port 192.168.8.40:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem # I am getting these error in access.log for https sites (port 443 is being used as it is transparent-itnerception mode) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 14: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 25: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 23: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) Which certificate is bad? Any idea why dynamic generation is not working? Or why this bad certificate error? -- Regards, -Ahmed Talha Khan
Re: [squid-users] dynamic SSL certificate generation not working in 3.3
On Apr 26, 2012, at 1:12 AM, Ahmed Talha Khan wrote: Hey All, I am trying to use the dynamic SSL certificate generation in 3.3. My squid setup is an interception proxy setup. So dynamic generation in interception is only possible after bump-server first available in 3.3. I have added the Root CA certificate(generated by myself) to the browser. The problem is that squid is still giving the same certificate to the client which causes warnings on the browser. By same i mean the certificate that i created my self which does not have the correct destination domain. Looking at the presented certificate in the browser, i can see the fields that i used to create the certificate. Effectively this means that dynamic certificate generation is not working. Also certificates are supposed to be cached in the ssl_db by the sslcrt_program. There are no certificates being generated in that path(/usr/local/squid-3.3/var/lib/ssl_db/certs). I can also see the 5 children of sslcrtd running. But seems they are not doing their job. My config is: https_port is the involved port since i am in interception mode. ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ##DYnamic certificate portion sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s /usr/local/squid-3.3/var/lib/ssl_db -M 4MB sslcrtd_children 5 http_port 192.168.8.40:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem http_port 192.168.8.40:8080 https_port 192.168.8.40:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem # I am getting these error in access.log for https sites (port 443 is being used as it is transparent-itnerception mode) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 14: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 25: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 23: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) Which certificate is bad? Any idea why dynamic generation is not working? Or why this bad certificate error? For clientNegotiateSSL errors, this is probably the client rejecting the certificate supplied by Squid. Since you say that the ssl_crtd daemons do not appear to be creating SSL certificates, is /usr/local/squid-3.3/var/lib/ssl_db owned by the squid user, and does it have the index.txt, serial, and size files in it, and the certs subdirectory? Is there anything in the index.txt file? Is there anything in the size file? Does the /home/talha/squid/www.sample.com.pem file contain a valid certificate and key? Guy This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
[squid-users] Dynamic SSL Certificate Generation
I try to use sslbump and Dynamic SSL Certificate Generation with squid 3.2 (latest from bzr) but get the following error: g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT certificate_db.o -MD -MP -MF .deps/certificate_db.Tpo -c -o certificate_db.o certificate_db.cc certificate_db.cc: In member function âbool Ssl::CertificateDb::deleteInvalidCertificate()â: certificate_db.cc:438:53: error: invalid conversion from âvoid*â to âconst _STACK*â certificate_db.cc:438:53: error: initializing argument 1 of âvoid* sk_value(const _STACK*, int)â certificate_db.cc: In member function âbool Ssl::CertificateDb::deleteOldestCertificate()â: certificate_db.cc:477:39: error: invalid conversion from âvoid*â to âconst _STACK*â certificate_db.cc:477:39: error: initializing argument 1 of âvoid* sk_value(const _STACK*, int)â certificate_db.cc: In member function âbool Ssl::CertificateDb::deleteByHostname(const std::string)â: certificate_db.cc:503:53: error: invalid conversion from âvoid*â to âconst _STACK*â certificate_db.cc:503:53: error: initializing argument 1 of âvoid* sk_value(const _STACK*, int)â make[3]: *** [certificate_db.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/src/ssl' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/src' make: *** [all-recursive] Error 1 The configure was ./configure --prefix=/opt/squid-3.2 \ --sysconfdir=/etc/squid \ --bindir=/opt/squid-3.2/sbin \ --sbindir=/opt/squid-3.2/sbin \ --localstatedir=/var \ --libexecdir=/opt/squid-3.2/sbin \ --datadir=/opt/squid-3.2/share/squid \ --mandir=/opt/squid-3.2/share/man \ --with-dl \ --with-maxfd=4096 \ --enable-snmp \ --enable-carp \ --enable-useragent-log \ --enable-auth \ --enable-auth-basic=LDAP MSNT NCSA PAM SMB NOS getpwnam MSNT-multi-domain \ --enable-auth-ntlm=smb_lm fake \ --enable-auth-negotiate=kerberos negotiate_wrapper \ --enable-auth-digest=LDAP file \ --enable-external-acl-helpers=file_userip LDAP_group kerberos_ldap_group session unix_group wbinfo_group \ --enable-ntlm-fail-open \ --enable-referer-log \ --enable-arp-acl \ --enable-htcp \ --enable-underscores \ --enable-stacktraces \ --enable-delay-pools \ --enable-useragent-log \ --enable-referer-log \ --enable-forward-log \ --enable-multicast-miss \ --enable-ssl \ --enable-ssl-crtd \ --enable-cache-digests \ --enable-auth-on-acceleration \ --enable-storeio=aufs,diskd,ufs \ --enable-linux-netfilter \ --enable-removal-policies=heap,lru \ --enable-icmp \ --with-samba-sources=/usr/include/samba \ --enable-large-cache-files \ --enable-x-accelerator-vary \ --enable-follow-x-forwarded-for \ --with-default-user=squid \ --enable-translation make DEFAULT_SWAP_DIR=/var/cache/squid \ DEFAULT_LOG_PREFIX=/var/log/squid \ DEFAULT_PID_FILE=/var/run/squid.pid \ SAMBAPREFIX=/usr compiler details g++ -v Using built-in specs. COLLECT_GCC=g++ COLLECT_LTO_WRAPPER=/usr/lib/gcc/i586-suse-linux/4.5/lto-wrapper Target: i586-suse-linux Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib --libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.5 --enable-ssp --disable-libssp --disable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --with-slibdir=/lib --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --program-suffix=-4.5 --enable-linux-futex --without-system-libunwind --enable-gold --with-plugin-ld=/usr/bin/gold --with-arch-32=i586 --with-tune=generic --build=i586-suse-linux Thread model: posix gcc version 4.5.0 20100604 [gcc-4_5-branch revision 160292] (SUSE Linux) Should this work with 3.2 ? Thank you Markus
[squid-users] Dynamic SSL certificate generation in intercept (transparent) mode.
Hi. I'm using squid ssl interception in transparent proxy mode. But, of course I have problem with invalid common name in any ssl transaction. I found this: ...We believe it is technically possible to implement dynamic certificate generation for transparent connections. Doing so requires turning Squid transaction handling steps upside down, so that the secure connection with the server is established /before/ the secure connection with the client. The implementation will be difficult, but it will allow Squid to get the server name from the server certificate and use that to generate a fake server certificate to give to the client. Quality patches or sponsorships welcomed. ... on squid wiki. So, maybe there is a related point on a road-map right now? Or maybe wome work-around usign 3rd-party application? I have to admit, i would be very welcome feature for me. Regards; -- Pawel Mojski