Re: [OT] squid and https.

Fri, 11 Feb 2011 11:53:33 -0800 

Il 11/02/2011 19:17, R0me0 *** ha scritto:

Hello Alessandro !

Try read this

If possible, coment after try :D

Regards,

spawn
2011/2/11 Alessandro Baggi <alessandro.ba...@gmail.com <mailto:alessandro.ba...@gmail.com>> 

    Hi list. I have a squid proxy with url filtering and file av scan
    composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp,
    all works fine but i'm not able to get https traffic scanned. To
    avoid this, we can use squid-3.1.11 with ssl-bump feature.
    At this point I've tried to set this configuration on a "linux"
    host, to avoid to break my firewall, on Slackware 13.1 +
    squid-3.1.11 + sslbump + c-icap + squidclamav-6.0 + squidGuard +
    clamav.

    from http://wiki.squid-cache.org/Features/SslBump:

    Squid-in-the-middle decryption and encryption of straight CONNECT
    and transparently redirected SSL traffic, using configurable
    client- and server-side certificates. While decrypted, the traffic
    can be inspected using ICAP.

    At this point there's no needed examplation about sslbump.
    All HTTP and HTTPS traffic will be scanned greatly.

    I've tried also to set an env with: Slackware 13.1 + squid-3.1.11
    + sslbump + havp + clamav + squidguard. The point is that, to get
    in work squid with havp, I must insert a parent (cache_peer) to
    havp and then when squid get the request from a client, it sends
    the request to havp, and havp tells (rightly) that the request is
    an invalid request returning the havp page.
    There is a method to avoid this? Or the problem is related only to
    havp that could not "see" https traffic?

    Another question is about security. With this method, the SSL
    communication beetween two endpoint is broken with the squid in
    the middle, what are the security implication using this method?
    There are many pro in front of cons to use this solution?

    The last question: why openbsd does not get squid-3.x instead 2.7-x?

    Thanks in advance
Azz, is very very secure this solution :D. Letting the jokes, i've ridden something about this, and I would the assurance of this. 
For my second question: cause squid-3 permit mitm.

Thanks for the reply.

Best regards

Reply via email to