Re: [squid-users] transparent https interception without mitm from Alex Rousskov on 2014-07-11 (squid-users)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Fri, 11 Jul 2014 15:05:23 -0600

On 07/11/2014 10:18 AM, James Lay wrote:
> On 2014-07-11 10:14, Alex Rousskov wrote:
>> On 07/11/2014 05:43 AM, James Harper wrote:
>>
>>> Is it possible for squid to intercept and apply acl's to https
>>> without actually decrypting and generating certificates etc? The
>>> conversation would go something like:
>>
>>> . Client makes connection to IP 1.2.3.4
>>> . Squid intercepts the connection (but doesn't respond yet)
>>> . Squid connects to 1.2.3.4 to obtain the hostname (CN or other
>>> identifier) of the certificate [1]
>>> . Squid applies ACL rules to the hostname [2]
>>> . If the ACL results in a deny then the client connection is dropped [3]
>>> . If the ACL results in an allow then a new connection is made to the
>>> 1.2.3.4 and squid just blindly proxies the TCP connection
>>>
>>> [1] I believe certificates can be valid for multiple hostnames, and
>>> wildcards, so this would have to be taken into account
>>> [2] stream is encrypted, so obviously no access to URL etc
>>> [3] dropped, because there isn't much else you can do with it,
>>> although maybe at this point a fake cert could be used to supply an
>>> "access denied" page?
>>
>>
>> I believe the above is one of the use cases that SSL Peek and Splice
>> project aims to address. Look for step2 "peek" and "terminate" actions
>> specifically:
>>
>> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>>
>> IIRC, both of those actions are supported in the experimental project
>> branch, but we have not polished the changes for the official submission
>> yet.
>>
>> https://code.launchpad.net/~measurement-factory/squid/peek-and-splice
>>
>>
>> HTH,
>>
>> Alex.
>
> I'd like this as well...how do we get the branch? Thanks.

See the URL above. You will need a bzr client to check the code out and
development environment to bootstrap the sources and build Squid. Please
note that this unofficial trunk-based feature branch is not supported by
the Squid Project.

Thank you,

Alex.
Received on Fri Jul 11 2014 - 21:05:43 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT