Re: [squid-users] squid + sslbump + [c-icap] + [squidclamav/havp] + clamav from Marcus Kool on 2011-02-10 (squid-users)

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Thu, 10 Feb 2011 17:02:35 -0200

There seems to be a misconception about what sslbump can and cannot do.

sslbump can only decrypt SSL connections.
sslbump cannot decrypt all other types of traffic that use the
HTTPS port and CONNECT method.
So, for example, it cannot decrypt Skype traffic and files
containing a virus can still enter the network.

Marcus

Alessandro Baggi wrote:
> Hi list, For many years I've used squid-2.7-STABLE7 for proxying,
> content filtering and virus scan, but it was not able to scan https
> traffic for viruses. Now compiling a package for my system, I've seen
> that in 3.1.x version there is the ssl-bump option to get https traffic
> treated as http traffic.
>
> in my squid.conf I have:
>
> ...
> ..
> ssl_bump allow localnet
> always_direct allow all
>
> http_port 172.16.2.8:3128 ssl-bump cert:/etc/squid/cert/cert.crt
> key=/etc/squid/cert/key.key
>
>
> My first question is, How to see if ssl-bump works? in access.log I get
> always CONNECT/DIRECT for HTTPS connection. This is normal or my
> ssl-bump config does not work?
>
> Then my squidclamav version is 6.x and use c-icap and I've configured
> squid for icap as:
>
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_resp allow all
>
> For http connection all works fine, and always with https connection
> there are always CONNECT/DIRECT.
> on http://wiki.squid-cache.org/Features/SslBump I get:
>
> Squid-in-the-middle decryption and encryption of straight *CONNECT* and
> transparently redirected SSL traffic, using configurable client- and
> server-side certificates. While decrypted, the traffic can be inspected
> using ICAP.
>
> Then at this point ssl-bump must permit to squidclamav to see file
> (decrypted) over https?
>
> if Yes, there is a my misconfiguration, can you point me in the right
> direction? (If you need my squid.conf I can post it)
>
> thanks in advance.
>
>
Received on Thu Feb 10 2011 - 19:02:39 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 11 2011 - 12:00:03 MST