Re: [squid-users] Squid v3.3.8 & SSL Bumping Issues from David Marcos on 2014-07-09 (squid-users)

From: David Marcos <davem.business_at_gmail.com>
Date: Wed, 9 Jul 2014 18:22:42 -0400

Alex, et al,

Thanks very much for the suggestions. The tip-off that HSTS issues
may actually be a symptom, not the problem, was key. Turns out I did
not properly install my self-signed root certificate into my laptop.
Once I fixed that, everything started working.

Thanks again for the help!

-Dave

On Wed, Jul 9, 2014 at 1:59 PM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 07/08/2014 08:17 PM, David Marcos wrote:
>
>> b. HTTP Strict Transport Security (HSTS): Some pages flat-out
>> reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure
>> aggravates the issue. Is there a way to configure Squid to get around
>> HSTS? (Yes, I know this may be a dumb question given how HSTS works,
>> but would appreciate any insight.)
>
>
> HSTS is an active area of research so I do not have final answers for
> you, but my current understanding is:
>
> a) HSTS itself is more-or-less compatible with SslBump. If you can
> successfully convince an HTTP client to trust the Root certificate used
> by Squid, then sites visited by that client will not violate any
> standard HSTS rules.
>
> b) Bumping errors unrelated to HSTS may be misinterpreted as
> HSTS-related errors because the browser says "I cannot render that site
> because of HSTS". What the browser means, in some cases, is that "I do
> not trust that site [because there was a bumping problem] and HSTS rules
> prevent me from showing you the sites I do not trust". In this
> particular case, HSTS is mostly irrelevant. Once you fix the true cause
> of distrust and, everything should work.
>
> c) If a browser or browser plugin "pins" a certificate to a site, it
> will not trust any other certificate for that site, possibly resulting
> in HSTS errors. See item (b) above for why these are not actually HSTS
> errors. In this case, there may be no solution -- you cannot force the
> browser to unpin the certificate if that pinning was hard-coded.
>
>
> Corrections welcomed!
>
>
> HTH,
>
> Alex.
>

-- 
___________________________________________________________
David J. Marcos
davem.business_at_gmail.com

Received on Wed Jul 09 2014 - 22:22:48 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 10 2014 - 12:00:06 MDT