Re: [squid-users] transparent https interception without mitm from James Lay on 2014-07-11 (squid-users)

From: James Lay <jlay_at_slave-tothe-box.net>
Date: Fri, 11 Jul 2014 15:10:57 -0600

On 2014-07-11 15:05, Alex Rousskov wrote:
> On 07/11/2014 10:18 AM, James Lay wrote:
>> On 2014-07-11 10:14, Alex Rousskov wrote:
>>> On 07/11/2014 05:43 AM, James Harper wrote:
>>>
>>>> Is it possible for squid to intercept and apply acl's to https
>>>> without actually decrypting and generating certificates etc? The
>>>> conversation would go something like:
>>>
>>>> . Client makes connection to IP 1.2.3.4
>>>> . Squid intercepts the connection (but doesn't respond yet)
>>>> . Squid connects to 1.2.3.4 to obtain the hostname (CN or other
>>>> identifier) of the certificate [1]
>>>> . Squid applies ACL rules to the hostname [2]
>>>> . If the ACL results in a deny then the client connection is
>>>> dropped [3]
>>>> . If the ACL results in an allow then a new connection is made to
>>>> the
>>>> 1.2.3.4 and squid just blindly proxies the TCP connection
>>>>
>>>> [1] I believe certificates can be valid for multiple hostnames,
>>>> and
>>>> wildcards, so this would have to be taken into account
>>>> [2] stream is encrypted, so obviously no access to URL etc
>>>> [3] dropped, because there isn't much else you can do with it,
>>>> although maybe at this point a fake cert could be used to supply
>>>> an
>>>> "access denied" page?
>>>
>>>
>>> I believe the above is one of the use cases that SSL Peek and
>>> Splice
>>> project aims to address. Look for step2 "peek" and "terminate"
>>> actions
>>> specifically:
>>>
>>> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>>>
>>> IIRC, both of those actions are supported in the experimental
>>> project
>>> branch, but we have not polished the changes for the official
>>> submission
>>> yet.
>>>
>>>
>>> https://code.launchpad.net/~measurement-factory/squid/peek-and-splice
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>
>> I'd like this as well...how do we get the branch? Thanks.
>
> See the URL above. You will need a bzr client to check the code out
> and
> development environment to bootstrap the sources and build Squid.
> Please
> note that this unofficial trunk-based feature branch is not supported
> by
> the Squid Project.
>
>
> Thank you,
>
> Alex.

Thanks Alex...I'll give it a go.

James
Received on Fri Jul 11 2014 - 21:11:03 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT