RE: Feature request (SSLBump) : generate erroneous certificate if original is option

From: Vincent Miszczak <vmiszczak_at_ankama.com>
Date: Wed, 4 Jan 2012 10:31:38 +0100

Hello Alex,

You got it ! I'm glad to see you are considering it.
This article relates that it will be available in 3.3. As 3.2 has been in beta for years, I'm a bit afraid it could take a long time before having the feature in a stable release.
I'm also seeing that this feature relies on Bump-Server-First that will also allow bump of intercepted SSL connections. That's another "must have" feature :).
Do you think this work will be backported to the STABLE branch as you did for dynamic SSL bump on 3.1 branch ?
Are ETA reliable ?

Thank you very much.

Regards.

-----Message d'origine-----
De : Alex Rousskov [mailto:rousskov_at_measurement-factory.com]
Envoyé : mardi 3 janvier 2012 20:12
À : Vincent Miszczak
Cc : squid-dev_at_squid-cache.org
Objet : Re: Feature request (SSLBump) : generate erroneous certificate if original is option

On 01/03/2012 08:19 AM, Vincent Miszczak wrote:
> Hello,
>
>
>
> I’m currently testing Squid 3.1.18 and particularly the dynamic SSL
> Bump feature.
>
> This is working fine as expected but I think it could be better :
>
>
>
> Using dynamic SSL Bump, if the remote certificate has issues, you have
> 2 choices :
>
> sslproxy_cert_error deny *** or sslproxy_cert_error allow ***
>
>
>
> If you allow those errors, you open a huge security breach.
>
> If you deny those errors, the page is denied by Squid and you have a
> regression in a sense that you cannot choose as a user to consider the
> risk or not, the proxy has decided for you and you loose freedom. In
> real life scenarios this is really painfull.
>
> One cool feature would be the possibility (configuration directive) to
> forward original certificate errors on the dynamically generated
> certificate. So the user would be prompted about the risk and he could
> choose to consider it or not.

Hi Vincent,

    Server certificate mimicking is useful for both valid and broken origin server certificates. This feature is being implemented now:
http://wiki.squid-cache.org/Features/MimicSslServerCert


Cheers,

Alex.

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Received on Wed Jan 04 2012 - 09:31:52 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 04 2012 - 12:00:11 MST