Re: [squid-users] transproxy message for https

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 28 Feb 2013 22:06:17 -0700

On 02/28/2013 05:17 AM, Pedro Correia Sardinha wrote:
>
> > Is there a mechanism by which I can intercept port 443 and alert the
> > user that a proxy is required, eg if they try to go to
> > https://www.apple.com then they get redirected to a website with
> > instructions on how to configure their device (iphones in this case)
> > to the proxy.

> Yes, there is such a mechanism (search for SslBump) but it requires
> impersonating the secure server that the user was trying to connect to,
> so it is not very usable unless your users trust your self-signed SSL
> certificate as they trust certificates from well-known Root CAs. SslBump
> also has many negative side effects, even when users trust your
> certificate.

> What about using SslBump with MimicSslServerCert (
> http://wiki.squid-cache.org/Features/MimicSslServerCert ) ?
> I've interest in implement an transparent bridge proxy server (Tproxy4)
> with https filtering.

Yes, that is the mechanism I referred to above.

> It's possible to deploy 3.3.x series without CA
> Cert installation in users browsers?

Yes, but users will get lots of browser errors and warnings, making
surfing secure sites nearly impossible for them unless they install your
CA certificate.

HTH,

Alex.
Received on Fri Mar 01 2013 - 05:06:39 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 12:00:04 MST