thanks Amos.
- George
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Understood. not altering the bytes. My question is simple:
if using squid to do splicing proxy action of https sessions, is there a
squid configuration to block/drop the session if the remote server's
certificate is signed by a 'untrusted' CA?
thanks.
George
--
Sent from:
http://squid-web-pro
>There should not need to be anything configured though. Rejecting
>unknown root CAs is how TLS is designed to work. With splice the error
>should be produced by your UA/Browser.
Although the client I have has the root cert of that untrusted CA from
server but getting the TLS handshaking error, it
Sorry, I should have said 'Trusted self-signed' CA vs non-Trusted. I was in
one enterprise, they use proxy server, when I went to a non-trusted CA
server, I got TLS handshaking error; but it worked fine when going to a
'trusted' CA server. And I know my connection on the proxy was not a
SSL-Bump.
Is there a way, not using ssl-bump, on squid to verify the remote server has
the certificate signed by some well-known CA or self-signed? does that
change if the server is running TLS 1.2 or 1.3?
thanks.
George
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019
Thanks Amos,
Good to know the MIME types are forwarded if the payload is being relayed.
What will be the expectation on the http custom headers, such as
'X-Request-ID', or 'X-Serial-Number' if they are set from client, during the
proxy relay process, will those also be forwarded unchanged or is
I would like to know in the case of proxy, can be ssl-bump, does the squid
proxy passes the http MIME type to the other side of the connection? such as
application/x-protobuf, application/json, text/plain, etc. What is the
expectation on this for the other HTTP header information?
thanks.
- Georg
>That is saying the "ssl-bump" flag requires "intercept" on that port
>directive.
>
>SSL-Bump is intercepting the TLS layer. It makes no sense for a client
>to explicitly open TCP connections to Squid when trying to perform TLS
>with a different server elsewhere.
but my proxy's purpose is to do t
>No. You receive a server cert and the CA chain required to validate that
>server cert.
>
>Stop thinking of certs as belonging to the proxy. It seems to be
>confusing you. All 3 certs can be called "the proxy's certs" and yet
>none of them is a "proxy cert" in TLS definitions.
Amos,
but those t
>> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
>> -showcerts ",
>> noticed two of the three certs from that display is from the proxy server
>> I
>> think. the first one
>> is the modified host cert. maybe that's the way to get proxy server's
>> certs.
>>
>You are using S
actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
-showcerts ",
noticed two of the three certs from that display is from the proxy server I
think. the first one
is the modified host cert. maybe that's the way to get proxy server's certs.
thanks.
George
--
Sent from:
http://s
>this is http port, speaking http. This is not a https port, so you can't
>speak https to it. The difference between 3128 and 3129 is, when you issue
>CONNECT request to 3129, squid tries to communicate using SSL as if it was
>the destination server (or, whatever you configure in ssl_bump options
> how is port 3129 defined in squid.conf?
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime
> The same openssl command can connect to any type of TLS server.
True. But the proxy server may not run normal TLS service or listen on the
port 443.
The proxy with SSL-Bump is listening on the 3129 for example, I have
certainly tried:
openssl s_client -connect proxy-server-ip:3129 -showcert
a
Running a client program through a proxy server, and I was given the proxy's
root CA certificate file. When applied, got the error on the program: "x509:
certificate signed by unknown authority". Now I'm wondering if the so called
"proxy's root CA cert" is given correctly.
I now for openssl, I can
Right. that works now.
thanks.
- George
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
did a 'openssl dhparam -out dhparams.pem 4096' to generate the dhparams.pem
file, and added those into the squid.conf:
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
*options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=/u
>Yes, look for "client certificate" in your squid.conf.documented.
Ok. for the 'clientca=' and 'tls-cafile=', is the purpose for proxy to
verify the client cert again this list before allow the connection to go
further? or it can use those client certificate also for other things?
Also the RFC TL
Hi,
I've seen some post saying there is a way to configure the squid proxy to
get the client certificate. But to be scalable (assume it has many https
clients) I'm wonder if the proxy can ask for the client certificate and
modify that certificate in negotiating the session with the server; just
li
I'm running the squid latest from download site. 4.9
Ok, i suspect that was related to my ^C running the process in foreground,
but I also see before that there are warning messages in the log:
2019/12/09 19:23:12.116 kid1| WARNING:
/usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid
I'm wondering if this issue reported last year is fixed:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-4-security-file-certgen-helpers-crashing-td4687098.html
or is there a work around.
thanks.
- George
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
Hi Alex,
this time I tried, a little different, this is the log from got the server
certs to colose the
SSL with error, and at the end, it is also saying security_file_certgen
crashes rapidly!!!
below the output of log
thanks.
- George
geyBC5spVGniTZ9g4/4EALHmrmP0d4vcbw0FJugljU7jWmdiUQEpoZZCov
the version 4.9 has the same behavior, can not finish negotiate with the
client.
I have setup two different client machines, one is macOS, the other alpine
linux.
I finally got the macOS wget https to work through the squid 4.9 proxy with
ssl-bump.
So the squid config is ok.
The alpine linux, us
Hi Amos,
i downloaded the 4.9 latest, and compiled with "./configure
--with-default-user=proxy --with-openssl --enable-ssl-crtd", not redo the
openssl and proxy certificate part, start squid with 4.9, still seeing
failure. Have not debugged in detail.
Quick question, when compile for the bump usa
Hi Amos,
thanks for the comments. I'll first try the later version as you pointed out
4.9 and see if I get the issues. Will report back.
thanks.
- George
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
25 matches
Mail list logo
