Re: [squid-users] squid + icap for recording ssl data for forensic analysis.

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Fri, 20 Aug 2010 07:50:08 -0600

On 08/20/2010 04:35 AM, Roberto Martelloni wrote:

> i have readed that in the roadmap of squid 3.3 will be available dynamic
> ssl cert hijacking.
>
> I'm interested in this functionality plus icap module to record all ssl
> session for network forensic analysis, post incident.
>
> Do you think is possible to use squid + sslbump + icap/ecap to write
> down in an structured way all the ssl data forwarded by the proxy ?
>
> anyone have any suggestion or experience in this kind of utilization, or
> icap/ecap functionality cant be used for this purpose ? is it out of the
> scope ?

What you want is indeed possible. Some caveats:

(a) ICAP/eCAP are not related to SslBump in any way. Those APIs do not
know where the traffic is coming from and whether it was encrypted at
some point or will be encrypted later. Knowing which pieces are
independent may help you understand the overall architecture better. You
will need an ICAP or eCAP adapter to record traffic. It is fairly easy
to write a simple one though.

(b) Dynamic SSL Certificate Generation does not work with transparent
proxies at this time, and there is currently no project to add such
functionality. Doing so would require a serious development effort.

(c) While there is an outdated patch adding Dynamic SSL Certificate
Generation to Squid v3.1, there is currently no project to update that
code. I am optimistic that we will do it within two months, but I cannot
promise anything. Synchronizing and committing that patch to trunk is
required to get the feature into v3.2 or v3.3.

HTH,

Alex.
Received on Fri Aug 20 2010 - 13:55:30 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 20 2010 - 12:00:04 MDT