[squid-users] SslBump and bad cert

From: Ming Fu <Ming.Fu_at_watchguard.com>
Date: Tue, 24 May 2011 14:39:51 +0000

Hi,

When using sslbump and encounter a bad server cert, the squid can choose to deny or allow such error. Some static ACL can be used to choose the sites that the squid would tolerate a bad cert. However, such acl is like a fixed list in the configure. Every time the user encounter a new problem site, the squid admin has to modify the acl. The squid administrator is also required to frequently clean up this list. Is there a way I can let the user at the browser to overwrite a certificate error message and temporarily proceed to a site with bad cert without involving the squid administrator to modify the acl for sslproxy_cert_error.

The following is probably no good for security, but it is no worth than without sslbump involved.

I was thinking if it is possible for squid to on-the-fly sign the man-in-the-middle cert as flawed as the bad server certificate instead of deny is out right. E.g. if the server cert has expired, sign an expired squid cert to the browser. At least this will reproduce the same behavior as if the sslbump is not turned on. The browser will warn the certificate problem and the user can proceed at his own risk. The squid administrator can be kept out of the loop in dealing with not so well maintained server certificate.

Regards,
Ming
Received on Tue May 24 2011 - 14:42:31 MDT

This archive was generated by hypermail 2.2.0 : Tue May 24 2011 - 12:00:03 MDT