On 06/29/2009 01:32 PM, Henrik Nordstrom wrote:
> sön 2009-06-28 klockan 14:18 -0600 skrev Alex Rousskov:
>
>> Ok, but can you tell what the patch does? Forwards raw SSL connections
>> to the next hop, as if Squid was a TCP proxy?
>
> Yes.
>
>> Something else?
>
> Not really. But supports both forwarded mode and standalone (connecting
> direct, or via a parent proxy).
OK, I see.
>>> Do not work with SslBump I think. SslBump requires the CONNECT right?
>> I do not think so. In my tests, SslBump worked for WCCP-intercepted SSL
>> connections.
>
> Are you sure that's SslBump, and not just https_port?
You may be right. I thought I did change something in https_port when
working on SslBump but I may be misremembering. If I did, it was
certainly very little because most of the work was on the CONNECT
requests handling. I do remember that I tested WCCP redirection of "port
443" traffic and it worked (with certificate warnings).
> https_port works kind of in interception mode, if the certificate
> warnings/errors is ignored.. has always been like that just not
> documented very well.
Agreed.
> Note: SslBump (long term) could be made to work in interception mode
> with modern browsers sending the requested hostname in the initial SSL
> hello message.
Thank you,
Alex.
Received on Mon Jun 29 2009 - 21:40:34 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 30 2009 - 12:00:06 MDT