On Mon, Jan 07, 2008, Dumpolid Exeplish wrote:
> Adrian,
>
> How can this be possible? can you explain?
* You can treat the SSL connection as just a TCP tunnel type connection.
(And if you need to pass it to an upstream proxy, just wrap it in CONNECT.)
* You can then do a few things, like:
- without breaking the connection:
- fingerprint the SSL cipher maybe?
- source/destination IP addresses
- destination port
- destination host, if given in the CONNECT request
- breaking the SSL connection (ie, terminating it and then issuing an SSL
connection outbound):
- well, you've got access to the whole datastream, so anything
- but you have to play SSL certificate games so your users don't get
hounded by their
browsers about insecure certificates.
Squid-3 is growing something (called "SslBump") which will introduce some of
these features. I'd like to introduce similar functionality in Squid-2 once
the squid-3 code is complete and debugged.
Adrian
