[OT] squid and https.

[Alessandro Baggi]

Hi list. I have a squid proxy with url filtering and file av scan 
composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp, all 
works fine but i'm not able to get https traffic scanned. To avoid this, 
we can use squid-3.1.11 with ssl-bump feature.
At this point I've tried to set this configuration on a linux host, to 
avoid to break my firewall, on Slackware 13.1 + squid-3.1.11 + sslbump + 
c-icap + squidclamav-6.0 + squidGuard + clamav.


from http://wiki.squid-cache.org/Features/SslBump:

Squid-in-the-middle decryption and encryption of straight CONNECT and 
transparently redirected SSL traffic, using configurable client- and 
server-side certificates. While decrypted, the traffic can be inspected 
using ICAP.


At this point there's no needed examplation about sslbump.
All HTTP and HTTPS traffic will be scanned greatly.

I've tried also to set an env with: Slackware 13.1 + squid-3.1.11 + 
sslbump + havp + clamav + squidguard. The point is that, to get in work 
squid with havp, I must insert a parent (cache_peer) to havp and then 
when squid get the request from a client, it sends the request to havp, 
and havp tells (rightly) that the request is an invalid request 
returning the havp page.
There is a method to avoid this? Or the problem is related only to havp 
that could not see https traffic?


Another question is about security. With this method, the SSL 
communication beetween two endpoint is broken with the squid in the 
middle, what are the security implication using this method? There are 
many pro in front of cons to use this solution?


The last question: why openbsd does not get squid-3.x instead 2.7-x?

Thanks in advance

Re: [OT] squid and https.

[Alessandro Baggi]

Il 11/02/2011 19:17, R0me0 *** ha scritto:

Hello Alessandro !

Try read this

If possible, coment after try :D

Regards,

spawn

2011/2/11 Alessandro Baggi alessandro.ba...@gmail.com 
mailto:alessandro.ba...@gmail.com


Hi list. I have a squid proxy with url filtering and file av scan
composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp,
all works fine but i'm not able to get https traffic scanned. To
avoid this, we can use squid-3.1.11 with ssl-bump feature.
At this point I've tried to set this configuration on a linux
host, to avoid to break my firewall, on Slackware 13.1 +
squid-3.1.11 + sslbump + c-icap + squidclamav-6.0 + squidGuard +
clamav.

from http://wiki.squid-cache.org/Features/SslBump:

Squid-in-the-middle decryption and encryption of straight CONNECT
and transparently redirected SSL traffic, using configurable
client- and server-side certificates. While decrypted, the traffic
can be inspected using ICAP.

At this point there's no needed examplation about sslbump.
All HTTP and HTTPS traffic will be scanned greatly.

I've tried also to set an env with: Slackware 13.1 + squid-3.1.11
+ sslbump + havp + clamav + squidguard. The point is that, to get
in work squid with havp, I must insert a parent (cache_peer) to
havp and then when squid get the request from a client, it sends
the request to havp, and havp tells (rightly) that the request is
an invalid request returning the havp page.
There is a method to avoid this? Or the problem is related only to
havp that could not see https traffic?

Another question is about security. With this method, the SSL
communication beetween two endpoint is broken with the squid in
the middle, what are the security implication using this method?
There are many pro in front of cons to use this solution?

The last question: why openbsd does not get squid-3.x instead 2.7-x?

Thanks in advance


Azz, is very very secure this solution :D. Letting the jokes, i've 
ridden something about this, and I would the assurance of this.

For my second question: cause squid-3 permit mitm.

Thanks for the reply.

Best regards