Hello Alex, You got it ! I'm glad to see you are considering it. This article relates that it will be available in 3.3. As 3.2 has been in beta for years, I'm a bit afraid it could take a long time before having the feature in a stable release. I'm also seeing that this feature relies on Bump-Server-First that will also allow bump of intercepted SSL connections. That's another "must have" feature :). Do you think this work will be backported to the STABLE branch as you did for dynamic SSL bump on 3.1 branch ? Are ETA reliable ?
Thank you very much. Regards. -----Message d'origine----- De : Alex Rousskov [mailto:[email protected]] Envoyé : mardi 3 janvier 2012 20:12 À : Vincent Miszczak Cc : [email protected] Objet : Re: Feature request (SSLBump) : generate erroneous certificate if original is option On 01/03/2012 08:19 AM, Vincent Miszczak wrote: > Hello, > > > > I’m currently testing Squid 3.1.18 and particularly the dynamic SSL > Bump feature. > > This is working fine as expected but I think it could be better : > > > > Using dynamic SSL Bump, if the remote certificate has issues, you have > 2 choices : > > sslproxy_cert_error deny *** or sslproxy_cert_error allow *** > > > > If you allow those errors, you open a huge security breach. > > If you deny those errors, the page is denied by Squid and you have a > regression in a sense that you cannot choose as a user to consider the > risk or not, the proxy has decided for you and you loose freedom. In > real life scenarios this is really painfull. > > One cool feature would be the possibility (configuration directive) to > forward original certificate errors on the dynamically generated > certificate. So the user would be prompted about the risk and he could > choose to consider it or not. Hi Vincent, Server certificate mimicking is useful for both valid and broken origin server certificates. This feature is being implemented now: http://wiki.squid-cache.org/Features/MimicSslServerCert Cheers, Alex. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
