On 2014-04-02 04:39, Beto Moreno wrote:
Hi.
Working this past days with squid3.3.10 and the ssl-bump which works
in most of the sites I use, but don't know all the sites my users
access.
Exist 1 site, my bank account, is one of the sites that won't let me
access with ssl-bump enable.
My doubt is if u know, how the comercial proxies handle this?, do they
have the same behaviour?
Because is beautiful the way this works, but trying to fix the issue
with my bank is what keep me nervous if I send this to production.
SSL-bump just generates a valid (or carefuly copied inaccurate)
certificate with incorrect keys.
If your bank is using HSTS or DANE then SSL-bump is easily detected and
can be warnied or rejected by a client UA validating the certificates
with those mechanisms.
Another common cause is one part of the system using seroiously outdated
crypto. Ensure your SSL library and certificates are up to date. If tis
happens at the banks end I would not use their HTTPS access until its
fixed.
Someone here has this features in production, how do u handle this
problems with sites ssl issues.
My bank, the funny thing is that, don't show me any browser error, is
just send me a popup screen with some words like "ip client", is all,
difficult to troubleshoot.
Strange. Exact errors are important here SSL/TLS is highly complex
behind the scenes and all the little software-speficic issues makes it
complex.
Amos
