On 01/03/2012 08:19 AM, Vincent Miszczak wrote:
> Hello,
>
>
>
> I’m currently testing Squid 3.1.18 and particularly the dynamic SSL Bump
> feature.
>
> This is working fine as expected but I think it could be better :
>
>
>
> Using dynamic SSL Bump, if the remote certificate has issues, you have 2
> choices :
>
> sslproxy_cert_error deny *** or sslproxy_cert_error allow ***
>
>
>
> If you allow those errors, you open a huge security breach.
>
> If you deny those errors, the page is denied by Squid and you have a
> regression in a sense that you cannot choose as a user to consider the
> risk or not, the proxy has decided for you and you loose freedom. In
> real life scenarios this is really painfull.
>
> One cool feature would be the possibility (configuration directive) to
> forward original certificate errors on the dynamically generated
> certificate. So the user would be prompted about the risk and he could
> choose to consider it or not.
Hi Vincent,
Server certificate mimicking is useful for both valid and broken
origin server certificates. This feature is being implemented now:
http://wiki.squid-cache.org/Features/MimicSslServerCert
Cheers,
Alex.
