Hello, If I browse on the internet **without** a proxy like squid, and if I use a browser like firefox, the certificate management of SSL connections looks, as far as I feel it, safe and secure.
One of my favorite web pages to test this is: https://revoked.grc.com/ Going on this site must generate an error such as a "revoked certificate" reject. But, if I browse with squid "behind", configured with SSL bumping and host certificate generation (in such a way my proxy works well for https), this site (https://revoked.grc.com/) is **not** filtered. Which is, to my eye, a big security hole... Questions (I am searching for answers for several months, without success): -while using squid, is it possible to have a SSL/HTTPS level of security at least as high as with a reference like firefox (assuming this is a reference; in my humble opinion, regarding certificate management, it is, as I don't know better)? -do you know any implementation of NSS library (the security library of firefox, probably safer than openssl) for certificate checking helper (cf. sslcrtvalidator_program)? -how to manage certificate lists, especially automatic updates of them (e.g. use of OSCP inside squid helpers)? Could we access to tweaks like maximum acceptable age of certificate validity, white and black lists of trust authorities, exclusion of autosigned certificate, etc? Thanks for any help, any suggestion! Jérémie PS1: some of test web pages, for which, to my mind, security fails with squid: -https://revoked.grc.com (my "favorite"; must fail browsing) -https://www.ssllabs.com/ssltest/viewMyClient.html (to get a big picture, especially if OCSP stapling is active) -https://www.howsmyssl.com/ (not as good as previous; provides another point of view) PS2: my squid 3.5 works on a debian wheezy 7.6; here is my squid.conf (only my adds in top of the default file content); so far I try to have transparent (implicit) proxy but explicit proxy is not better (only simpler configuration): # SSL bumping configuration http_port 3126 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid-3.5/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB # SSL Options - to mimic firefox; some of keys are weaks but some of my favorite websites need them :( sslproxy_options NO_SSLv2,No_Compression sslproxy_cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!3DES:!PSK sslproxy_cert_error deny all # Splice access lists acl splice_client src 192.168.2.30 acl splice_domain dstdomain .paypal.com acl splice_dst dst 66.211.169.66 66.211.169.3 # HTTPS access ssl_bump splice splice_client ssl_bump splice splice_domain ssl_bump splice splice_dst ssl_bump server-first all # Hide PROXY via off forwarded_for delete # Cache management cache_dir ufs /var/cache/squid 500 16 256 _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
