Zitat von Amos Jeffries <squ...@treenet.co.nz>:
Leonardo Carneiro - Veltrac wrote:
Amos Jeffries wrote:
Some factums worth knowing:
* 3.0 does not support sslBump or any other form of HTTPS
man-in-middle attacks. 3.1 is required for that.
* sslBump in 3.1 requires that the client machines all have a CA
certificate installed to make them trust the proxy for decryption.
* sslBump requires clients to be configured for using the proxy.
(Some of the 'transparent' above work this way some do not.)
Amos
Hi Amos. What is the vantage of use sslBump if I cannot use a
transparent proxy with it? Is the ability to cache SSL content?
Tks in advance.
Somewhat. Mostly for corporate networks AV scanning or filtering
HTTPS connections.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
Current Beta Squid 3.1.0.18
Transparent https is working with squid 3.1.0.15_beta-r1.
With transparent I meen, that the browser request will routed to
squids without any configuration.
iptables:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT
--to-destination 192.168.1.1:3129
squid.conf:
http_port 127.0.0.1:3128
http_port 192.9.200.32:3128 transparent
https_port 192.9.200.32:3129 transparent sslBump
cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem
key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem
Only Problem I have, that the browser gives warnings, because
certificate didn`t pass to domain!
Can I get other problems with cookie or something else?
Can I run this squid version in productivity environment?
Now I will test it for some hours..
Regards,
Stefan
