Re: [squid-users] SslBump and bad cert

2011-05-25 Thread Amos Jeffries
On 25/05/11 05:45, Ming Fu wrote: Hi Alex, One question about sslbump implementation, was the client side cert exchange done before squid start the ssl to the server? If so, it might be too late when squid learns that the server cert is not good. The client side cert was already sent out.

RE: [squid-users] SslBump and bad cert

2011-05-25 Thread Ming Fu
It is too late to alter the client certificate. By the time a server connection is opened Squid may have already served replies out of cache to the client. I am a bit surprised. Can sslbump make some https content cacheable? Meanwhile it is worth investigate why you are getting so many

Re: [squid-users] SslBump and bad cert

2011-05-25 Thread Amos Jeffries
On 26/05/11 01:01, Ming Fu wrote: It is too late to alter the client certificate. By the time a server connection is opened Squid may have already served replies out of cache to the client. I am a bit surprised. Can sslbump make some https content cacheable? Why surprised? ssl-bumps'

RE: [squid-users] SslBump and bad cert

2011-05-25 Thread Ming Fu
It is too late to alter the client certificate. By the time a server connection is opened Squid may have already served replies out of cache to the client. I am a bit surprised. Can sslbump make some https content cacheable? Why surprised? ssl-bumps' purpose is to remove the SSL

RE: [squid-users] SslBump and bad cert

2011-05-25 Thread Amos Jeffries
On Wed, 25 May 2011 16:16:54 +, Ming Fu wrote: It is too late to alter the client certificate. By the time a server connection is opened Squid may have already served replies out of cache to the client. I am a bit surprised. Can sslbump make some https content cacheable? Why

[squid-users] SslBump and bad cert

2011-05-24 Thread Ming Fu
Hi, When using sslbump and encounter a bad server cert, the squid can choose to deny or allow such error. Some static ACL can be used to choose the sites that the squid would tolerate a bad cert. However, such acl is like a fixed list in the configure. Every time the user encounter a new

Re: [squid-users] SslBump and bad cert

2011-05-24 Thread Alex Crow
E.g. if the server cert has expired, sign an expired squid cert to the browser. At least this will reproduce the same behavior as if the sslbump is not turned on. The browser will warn the certificate problem and the user can proceed at his own risk. The squid administrator can be kept out of

RE: [squid-users] SslBump and bad cert

2011-05-24 Thread Ming Fu
: [squid-users] SslBump and bad cert E.g. if the server cert has expired, sign an expired squid cert to the browser. At least this will reproduce the same behavior as if the sslbump is not turned on. The browser will warn the certificate problem and the user can proceed at his own risk. The squid