[squid-users] SSL Bump and dynamic SSL generation

From: Tom Holder <tom_at_simpleweb.co.uk>
Date: Sun, 11 May 2014 17:24:11 +0100

Hi,

I've configured Squid 3 with SSL bump and dynamic SSL generation and
it works really well when I use it for just browsing the Internet.

My problem is I'm trying to 'mimic' a live web site and the server
Squid is on does not have access to the live Internet.

E.g. site1.com doesn't actually go to site1.com on the live Internet
I'm redirecting it to a local version of site1.com

The problem is dynamic SSL generation and SSL Bump requires connecting
to the real site1.com to grab the certificate. When it tries to
connect to my local site1.com there is just a generic SSL I've
generated with the wrong common name and this causes the browser to
throw an SSL error. Note, I'm not trying to do this for anything dodgy
here, the custom CA is installed in to the end user's computer and
this is not a transparent proxy, it's only because the common name
isn't matching that I'm getting issues.

The only way around this I can think of without hacking squid (a
possibility but my C++ is poor), is to build something that hooks in
to the rewrite connect method to generate a certificate myself, load
it in to the web server and then my own local site1.com will have a
correct cert.

Has anyone had a similar issue or managed to solve this? I might have
missed something in the docs but I don't think so and I realise this
is a bit of a strange request.

Thanks
Tom
Received on Sun May 11 2014 - 16:24:19 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT