Re: [squid-users] WCCPv2 and HTTPS problems

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Thu, 08 Nov 2007 22:36:49 -0700

On Thu, 2007-11-08 at 07:49 +0900, Adrian Chadd wrote:
> On Wed, Nov 07, 2007, Alex Rousskov wrote:
>
> > > The browser wraps up the SSL requests in a normal HTTP request ("CONNECT");
> > > transparently intercepted SSL requests look like SSL and not like HTTP.
> > > Squid knows about the former but not currently about the latter.
> >
> > Adrian,
> >
> > AFAIK, Squid can handle HTTPS requests in an accelerated environment
> > setup, using https_port settings. If I configure Cisco to redirect https
> > traffic to Squid https_port using WCCP, will Squid know how to decrypt
> > the request?
> >
> > If yes, then SslBump should work, in principle, for WCCP/HTTPS
> > interception. Testing this is on my to-do list, but I wanted to know
> > whether you foresee any problems with this scheme (other than browser
> > warnings that SslBump causes). Do you?
>
> Nope, it should work - all it needs to do is take the original request
> destination/port and use that (possibly) when forwarding the request.

You were right. In lab tests, SslBump did work for both straight CONNECT
and WCCPv2 redirection cases. The SslBump code lives in the ssl-bump
branch. It will be integrated into Squid v3.1. You can track progress at
http://wiki.squid-cache.org/Features/SslBump

Thank you,

Alex.
Received on Thu Nov 08 2007 - 22:37:08 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST