On 15/02/2013 2:23 a.m., Prasanna Venkateswaran wrote:
> Hi,
> I have been trying to set up squid which can intercept https
> traffic without client (read it as browser proxy) changes. I am using
> the latest squid 3.3.1. When I actually open a https site I still see
> the certificate with the parameters I provided (for myCA.pem) and I
> dont see any of the original certificate's properties being mimicked.
> I have listed my config below. Please let me know whether I am missing
> anything. Pardon me if am overlooking any config. I am relatively new
> to squid.
>
> My iptable config:
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp
> dpt:www redir ports 3128
> REDIRECT tcp -- anywhere anywhere tcp
> dpt:https redir ports 3129
>
>
> My Squid config:
>
> http_access deny all
> always_direct allow all
> ssl_bump server-first all
>
> # Squid normally listens to port 3128
> http_port 3128 transparent
> https_port 3129 intercept cert=/etc/squid/ssl_cert/myCA.pem ssl-bump
Mimic only works when the certificate is being created by Squid.
The above config line is a _static_ certificate configuration. Whatever
request arrives at squid will be SSL setup using myCA.pem keys - which
were created by you in advance and are fixed.
What you are needing is a _dynamic_ certificate configuration. With the
CA certificate, private key= certificate and generate-* SSL options
enabled on this port to allow Squid to create new certificates as needed.
Amos
Received on Fri Feb 15 2013 - 04:31:58 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 19 2013 - 12:00:04 MST