RE: [squid-users] Squid and SSL interception (ssl-bump)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Nov 2012 12:10:13 +1300

On 01.11.2012 04:49, Heinrich Hirtzel wrote:
> Hi Eliezer
>  
>> what iptables rules have you used?
>> also you better use squid 3.2 for ssl-bump.
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 81 -j REDIRECT
> --to-port 3128
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j REDIRECT
> --to-port 443
>  
>> also you better use squid 3.2 for ssl-bump.
> K, will try that. Stay tuned :-)
>  
>> take a look at:
>> http://wiki.squid-cache.org/Features/SslBump
>> and
>> http://wiki.squid-cache.org/Features/DynamicSslCert
>  
> I've read through them for at least 10 times (I'm not kidding) and
> tried various different configurations without finding any solution.
> Maybe I simply missed something :-/
>  
> Do I need to compile squid with '--enable-ssl-crtd' or is
> '--enable-ssl' enough?

For HTTPS interception ssl-crtd is better. server-first feature and
certificate-mimic are even better.
Squid-3.3 which has these is needed for anything close to useful HTTPS
port 443 interception.

Amos
Received on Wed Oct 31 2012 - 23:10:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 12:00:05 MDT