[squid-users] Re: SSL-proxy filtering

From: Henrik Nordstrom <[email protected]>
Date: Thu, 31 Mar 2005 03:44:39 +0200 (CEST)

On Thu, 31 Mar 2005, [ISO-8859-1] Henrik �sterlund Gram wrote:

> I realize that, but I also realize that there are a number of
> (commercial) products available that accomplish this. It should be
> possible to simply act as an SSL server yourself and while the
> certificates would be different (the proxy's) seen from the actual
> client and server's perspective, at least it could work.

Yes, and this is not very hard to implement, just that noone have done so
for Squid yet.

Requirements:

1. A fake CA, preferably trusted by the clients.

2. Interception of CONNECT requests, making a fake certificate matching
the requested server name, then switch accept the connection as an https
connection (same as https_port is doing).

Squid-3 or Squid-2.5+SSL update is required to start with, as Squid-2.5
can not initiate SSL connections, only accept them..

All in all should not be more than a screenful or two of code. A bit more
if you want to get advanced and echo the real servers certificate info in
your fake certificate.

Regards
Henrik
Received on Wed Mar 30 2005 - 18:44:41 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:03 MST