Good evening,
From: Stefan Baur newsgroups.ma...@stefanbaur.de
Sent: Wed Jul 25 17:51:19 NCT 2012
To: list@lists.pfsense.org
Subject: Re: [pfSense] Squid transparent ssl proxy
Am 25.07.2012 05:17, schrieb Jerome Alet:
Any idea what I'm doing wrong ?
This is what you're doing wrong:
Now I'd like to set it up as an HTTPS transparent proxy as well.
HTTPS traffic is encrypted, and squid is lacking the proper
keys/certificates to decrypt it.
In theory, you could set up squid with its own certificates, but that
will turn squid into a man-in-the-middle, i.e. all your clients will
complain that the certificate doesn't match the sites they're trying to
access.
I know this is man in the middle, and I even wrote that we were OK with the
browser message which clearly says there's something like a man in the middle
attack going on.
Since I've added its own certificate to Squid, it isn't lacking them, and so it
*should* work from what I've read on the net about this subject. But clearly
I'm missing something because instead of having the traffic decrypted by Squid
and then encrypted again by Squid for local clients, I've got a Protocol Error.
So my original question was not about it being OK to do it or not, but more
about why it didn't work as expected.
Thanks for your feedback anyway, if I can't do otherwise I'll play with
autoconfiguration scripts.
bye
--
Jerome Alet
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
