Hey Antony,
Thanks for the quick response.
- What sort of firewall is this?
The firewall is a Cisco FTDv 6.6.
- What does "HTTPS inspect" actually mean?
- How does the firewall "inspect" HTTPS traffic, which by design is encrypted
between client and server (neither of which is the firewall)?
- What does "inspect" mean? What information is revealed from the inspection
of the encrypted communication?
It's doing something they call 'decrypt and resign'. Similar to how
ssl_bump works, so would putting the firewall certificate on the Squid
server's trusted certificates source be enough?
Why? Where would the proxy servers need to be instead, in order for this
inspection to work?
Good question, their documentation says the following:
HTTP proxy limitation
The system cannot decrypt traffic if an HTTP proxy is positioned
between a client and your managed device, and the client and server
establish a tunneled TLS/SSL connection using the CONNECT HTTP
method. The Handshake Errors undecryptable action determines how the
system handles this traffic.
Alternatively, how does/would it work if the proxy were not there, and clients
communicated directly to the Internet through the firewall?
If the proxy wasn't there, it looks like it works the same as ssl_bump.
Have you asked the suppliers / authors / vendors of the firewall?
Not yet but I will be doing so today.
If it's the firewall telling you there's a problem, this doesn't entirely feel
like a Squid question.
Okay, what if we removed the firewall and replaced it with another squid proxy
server, where that is also doing ssl_bump. I assume this would work but are
there negative implications of doing so?
Appreciate you taking the time.
Thanks,
Will
On 04/01/2022 00:35, Antony Stone wrote:
On Tuesday 04 January 2022 at 01:19:28, Will BMD wrote:
Hey all,
I currently have the following network topology, it's emulating a real
world environment. The proxy is running ssl_bump.
LAN <-> Squid Proxy <-> Firewall <-> Internet
From the Firewall's perspective all client connections are originating
as the proxy server.
Okay, that makes good sense.
We're wanting to use the https inspect feature of the firewall,
Please give more details?
- What sort of firewall is this?
- What does "HTTPS inspect" actually mean?
- How does the firewall "inspect" HTTPS traffic, which by design is encrypted
between client and server (neither of which is the firewall)?
- What does "inspect" mean? What information is revealed from the inspection
of the encrypted communication?
but according to our firewall documentation it appears due to the location of
our proxy servers we would be unable to do so.
Why? Where would the proxy servers need to be instead, in order for this
inspection to work?
Alternatively, how does/would it work if the proxy were not there, and clients
communicated directly to the Internet through the firewall?
My question is, if the proxy is behaving as a MITM between itself and
the client, can't the Firewall do the same thing between itself and the
proxy?
I agree. Have you asked the suppliers / authors / vendors of the firewall?
I suspect it is possible, but might potentially involve a lot of headaches
and a big hit on performance?
Who knows?
If it's the firewall telling you there's a problem, this doesn't entirely feel
like a Squid question.
Antony.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
