Re: [squid-users] SSLBump, help to configure for 3.1.0.16
On Sun, 14 Feb 2010 18:30:34 -0600, Andres Salazar wrote: > Hello, > > Iam trying to configure SSLbump so that I can use squid in transparent > mode and redirect with iptables/pf port 443 and 80 to squid. > > When using https_port (based on some mailing lists) it says that isnt > recognized. > I also tried to use > > http_port 3129 transparent sslBump > cert=/usr/local/squid/etc/server.crt > key=cert=/usr/local/squid/etc/server.key > Kill that http_port = SslBump only bumps CONNECT requests in regular port 80 traffic. And CONNECT requests are illegal unless explicitly talking to a proxy. Passing port 443 there will only result in dropped connections and maybe logged warnings about garbage (encrypted data) arriving from a client. To intercept HTTPS you do need to be on an https_port. Your squid need to be built with SSL support. > and > > http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt > key=cert=/usr/local/squid/etc/server.key > > But then I recieve this error: > > FATAL: Bungled squid.conf line 38: http_port 3129 transparent sslBump > cert=/usr/local/squid/etc/server.crt > key=cert=/usr/local/squid/etc/server.key "key=cert=" ?? Amos
Re: [squid-users] SSLBump, help to configure for 3.1.0.16
Hello On Sun, Feb 14, 2010 at 6:59 PM, Amos Jeffries wrote: > "key=cert=" ?? I saw some examples where they where seperated. It should be only one file right? Is my process of creating a crt and key sound correct though? Thank you.
Re: [squid-users] SSLBump, help to configure for 3.1.0.16
On Sun, 14 Feb 2010 19:28:28 -0600, Andres Salazar wrote: > Hello > > On Sun, Feb 14, 2010 at 6:59 PM, Amos Jeffries > wrote: > >> "key=cert=" ?? > > I saw some examples where they where seperated. It should be only one > file right? Is my process of creating a crt and key sound correct > though? > Separated should be fine. The problem is the characters you entered in squid.conf. Squid barfs while trying to open the file named ./cert=/something Amos
Re: [squid-users] SSLBump, help to configure for 3.1.0.16
On 14.02.10 18:30, Andres Salazar wrote: > Iam trying to configure SSLbump so that I can use squid in transparent > mode and redirect with iptables/pf port 443 and 80 to squid. Are you aware of all security concerns when intercepting HTTPS connections? ...I just wonder when will first proactive admin (or someone from his managers) sent to prison because of breaking into users connections. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Re: [squid-users] SSLBump, help to configure for 3.1.0.16
On Tue, Feb 16, 2010 at 7:17 AM, Matus UHLAR - fantomas wrote: > On 14.02.10 18:30, Andres Salazar wrote: >> Iam trying to configure SSLbump so that I can use squid in transparent >> mode and redirect with iptables/pf port 443 and 80 to squid. Why transparent? > Are you aware of all security concerns when intercepting HTTPS connections? > > ...I just wonder when will first proactive admin (or someone from his > managers) sent > to prison because of breaking into users connections. Laws vary by country. At least in the US, SSL-Intercepting admins are much more likely to face civil liability than any sort of criminal charge. So no prison, just bankruptcy. With the requirement to load a public key on the machine being intercepted, generally this is only deployed in situations where the owner of the proxy also already "owns" the user machine. I'm using a commercial tool which gets around the headaches and legal issues by inspecting the HTTPS outbound data on the client, before it gets encrypted. This "agent" only works with IE/Firefox.
Re: [squid-users] SSLBump, help to configure for 3.1.0.16
> On Tue, Feb 16, 2010 at 7:17 AM, Matus UHLAR - fantomas > wrote: > > Are you aware of all security concerns when intercepting HTTPS connections? > > > > ...I just wonder when will first proactive admin (or someone from his > > managers) sent > > to prison because of breaking into users connections. On 16.02.10 09:40, K K wrote: > Laws vary by country. At least in the US, SSL-Intercepting admins are > much more likely to face civil liability than any sort of criminal > charge. So no prison, just bankruptcy. IT highly depends on what will admin do with the data - if and what data will leak out. > With the requirement to load a public key on the machine being > intercepted, generally this is only deployed in situations where the > owner of the proxy also already "owns" the user machine. I still would like to warn all admins of security breach using the sslbump and legal or ethical risks of doing that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
