Install Godaddy certificate on squid to use ssl-bumping functionnality

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
Hi there,

My boss give me a certificate purchased from Godaddy to intercept HTTPS request.

squid.conf :
http_port 3127 transparent
http_port 3128
https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt
sslproxy_capath /etc/ssl/certs

When i restart squid i have an error :
ERROR: Failed to acquire SSL private key
'/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM
routines:PEM_read_bio:no start line

I haven't a private key, so is this normal ?

Thanks !

--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow
Hi,

You can't possibly do this. To ssl-bump you need access to a private key
to sign the certs you offer to clients. Not in a million years is a
Commercial CA going to give you their private key. Such a key can sign
any certificate which would then be trusted by any software that
includes GoDaddy's CA (ie IE, Firefox, Chrome etc).

You need to use OpenSSL to set up your own CA and use its private key in
Squid as the key to generate new certificates. And preferably install
your new CA cert into your users' certificate stores as a Trusted CA.

The private key is basically the thing that any CA has to keep the most
private for SSL to work. Providers like GoDaddy would probably have the
machine that holds the private keys for at least their Root CA on a
private network (if even it's networked at all) and use subordinate CAs
to issue certificates to their clients (ie you). Unless you are a very
large trusted organisation and jump through many hoops you will get a
subordinate signing key from a reputable commercial CA.

Otherwise, the internet and SSL would already be more borken than it is
right now ;-)

Alex


On 27/05/14 19:13, Antoine Klein wrote:

> Hi there,
>
> My boss give me a certificate purchased from Godaddy to intercept HTTPS request.
>
> squid.conf :
> http_port 3127 transparent
> http_port 3128
> https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt
> sslproxy_capath /etc/ssl/certs
>
> When i restart squid i have an error :
> ERROR: Failed to acquire SSL private key
> '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM
> routines:PEM_read_bio:no start line
>
> I haven't a private key, so is this normal ?
>
> Thanks !
>

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow
Hi,

Mistake in my post: should be:

  and jump through many hoops you will *NOT* get a subordinate signing
key from a reputable commercial CA.

>
> Otherwise, the internet and SSL would already be more borken than it
> is right now ;-)
>
> Alex
>
>
> On 27/05/14 19:13, Antoine Klein wrote:
>> Hi there,
>>
>> My boss give me a certificate purchased from Godaddy to intercept
>> HTTPS request.
>>
>> squid.conf :
>> http_port 3127 transparent
>> http_port 3128
>> https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt
>> sslproxy_capath /etc/ssl/certs
>>
>> When i restart squid i have an error :
>> ERROR: Failed to acquire SSL private key
>> '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM
>> routines:PEM_read_bio:no start line
>>
>> I haven't a private key, so is this normal ?
>>
>> Thanks !
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Eliezer Croitoru
In reply to this post by Toinou
On 05/27/2014 09:13 PM, Antoine Klein wrote:
> My boss give me a certificate purchased from Godaddy to intercept HTTPS request.
Do you need it for a reverse proxy by any chance or bumping legit ssl
connections?
I am not sure you know that but I asked anyway.

Eliezer
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
I want to bump ssl connections, but without produce a warning of course.

I read it is possible to generate a request of certification with a
key and send this file to an authority to sign it, do you know that ?

2014-05-27 16:08 GMT-04:00 Eliezer Croitoru <[hidden email]>:

> On 05/27/2014 09:13 PM, Antoine Klein wrote:
>>
>> My boss give me a certificate purchased from Godaddy to intercept HTTPS
>> request.
>
> Do you need it for a reverse proxy by any chance or bumping legit ssl
> connections?
> I am not sure you know that but I asked anyway.
>
> Eliezer



--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Eliezer Croitoru
On 05/27/2014 11:19 PM, Antoine Klein wrote:
> I want to bump ssl connections, but without produce a warning of course.
>
> I read it is possible to generate a request of certification with a
> key and send this file to an authority to sign it, do you know that ?
If indeed you where an authority I would assume you wont be having ANY
trouble do what you need and\or want to do without even asking here.
It's very unlikely you own a root CA and ask here about the an issue
which should not be asked about at all.

Squid SSL-BUMP is ssl certificate mimicing which can cause lots of
errors if the client application has a very list of specific issue\ideas
about the certificate properties.
it's risky and should be used by the knowledge which you are probably to
encounter this errors here and there if not more then that.

Regards,
Eliezer
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Amos Jeffries
Administrator
In reply to this post by Toinou
On 28/05/2014 8:19 a.m., Antoine Klein wrote:
> I want to bump ssl connections, but without produce a warning of course.
>
> I read it is possible to generate a request of certification with a
> key and send this file to an authority to sign it, do you know that ?

Having your cert signed by a widely trusted certificate authority is one
thing, and the basis of how TLS/SSL works.

SSL-bump cannot be used with that type of key for the reasons Alex
already mentioned. He also mentioned the steps you have to take instead
to get it going.

Amos

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow

On 28/05/14 03:43, Amos Jeffries wrote:

> On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>> I want to bump ssl connections, but without produce a warning of course.
>>
>> I read it is possible to generate a request of certification with a
>> key and send this file to an authority to sign it, do you know that ?
> Having your cert signed by a widely trusted certificate authority is one
> thing, and the basis of how TLS/SSL works.
>
> SSL-bump cannot be used with that type of key for the reasons Alex
> already mentioned. He also mentioned the steps you have to take instead
> to get it going.
>
> Amos
>

Hi Antoine,

You need to be a CA, ie have the CA private key, to be able to do this.
If you are in control of the clients and know how to use OpenSsl to
create a CA you can do this without paying any money to anyone. You
simply create the CA and use it and its private key in your ssl-bump
configuration.

http_port 3128 sslBump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem

proxy.pem is your private key and CA certificate concatenated.

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB

The above line configures the crtd helpers that actually generate the
certs for the requests, see
http://wiki.squid-cache.org/Features/DynamicSslCert

Cheers

Alex
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
I send back my post because i'm not sur it is sent...

Ok thanks all !

I haven't in control of clients so it's the real problem, i can't
install certificate on their smartphone ^^.

So according to you, if i create a CA with openssl, and create a
certification signing request (.csr) with a private key, and if i send
my csr to a trusted authority to sign it, i could use it in squid
without problem, then clients wouldn't have any warning ?
I would like to be sure to avoid every problem.

2014-05-28 2:47 GMT-04:00 Alex Crow <[hidden email]>:

>
> On 28/05/14 03:43, Amos Jeffries wrote:
>>
>> On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>
>>> I want to bump ssl connections, but without produce a warning of course.
>>>
>>> I read it is possible to generate a request of certification with a
>>> key and send this file to an authority to sign it, do you know that ?
>>
>> Having your cert signed by a widely trusted certificate authority is one
>> thing, and the basis of how TLS/SSL works.
>>
>> SSL-bump cannot be used with that type of key for the reasons Alex
>> already mentioned. He also mentioned the steps you have to take instead
>> to get it going.
>>
>> Amos
>>
>
> Hi Antoine,
>
> You need to be a CA, ie have the CA private key, to be able to do this. If
> you are in control of the clients and know how to use OpenSsl to create a CA
> you can do this without paying any money to anyone. You simply create the CA
> and use it and its private key in your ssl-bump configuration.
>
> http_port 3128 sslBump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>
> proxy.pem is your private key and CA certificate concatenated.
>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> The above line configures the crtd helpers that actually generate the certs
> for the requests, see http://wiki.squid-cache.org/Features/DynamicSslCert
>
> Cheers
>
> Alex



--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
Thanks for your answers !

Alex your last answer is for me ? What is illegal ?

Finally, i managed to install the certificate, in fact my boss had the
private key...

So i have another problem, squid start correctly with the certificate
but on the client with firefox i have this error
"ssl_error_bad_cert_domain" when i make an HTTPS connexion.
Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
clientNegotiateSSL: Error negotiating SSL connection on FD 11:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(1/0)"

Do you know these errors ?

2014-05-28 11:39 GMT-04:00 Alex Crow <[hidden email]>:

> You cannot generate on the fly new certs that are signed by a commercial CA.
> You need a generated cert for every site your clients visit.
>
> And if you are not in control of your clients this would be not only
> unethical but also most likely illegal - and you won't get any further help
> from this list with either of those.
>
> On 28 May 2014 15:55:04 BST, Antoine Klein <[hidden email]> wrote:
>>
>> I send back my post because i'm not sur it is sent...
>>
>> Ok thanks all !
>>
>> I haven't in control of clients so it's the real problem, i can't
>> install certificate on their smartphone ^^.
>>
>> So according to you, if i create a CA with openssl, and create a
>> certification signing request (.csr) with a private key, and if i send
>> my csr to a trusted authority to sign it, i could use it in squid
>> without problem, then clients wouldn't have any warning ?
>> I would like to be sure to avoid every problem.
>>
>> 2014-05-28 2:47 GMT-04:00 Alex Crow <[hidden email]>:
>>>
>>>
>>>  On 28/05/14 03:43, Amos Jeffries wrote:
>>>>
>>>>
>>>>  On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>>>
>>>>>
>>>>>  I want to bump ssl connections, but without produce a warning of
>>>>> course.
>>>>>
>>>>>  I read it is possible to generate a request of certification with a
>>>>>  key and send this file to an authority to sign it, do you know that ?
>>>>
>>>>
>>>>  Having your cert signed by a widely trusted certificate authority is
>>>> one
>>>>  thing, and the basis of how TLS/SSL works.
>>>>
>>>>  SSL-bump cannot be used with that type of key for the reasons Alex
>>>>  already mentioned. He also mentioned the steps you have to take instead
>>>>  to get it going.
>>>>
>>>>  Amos
>>>
>>>
>>>
>>>  Hi Antoine,
>>>
>>>  You need to be a CA, ie have the CA private key, to be able to do this.
>>> If
>>>  you are in control of the clients and know how to use OpenSsl to create
>>> a CA
>>>  you can do this without paying any money to anyone. You simply create
>>> the CA<
>>>  br />
>>> and use it and its private key in your ssl-bump configuration.
>>>
>>>
>>>  http_port 3128 sslBump generate-host-certificates=on
>>>  dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>>>
>>>  proxy.pem is your private key and CA certificate concatenated.
>>>
>>>  sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>
>>>  The above line configures the crtd helpers that actually generate the
>>> certs
>>>  for the requests, see
>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>>
>>>  Cheers
>>>
>>>  Alex
>>
>>
>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.



--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow
Antoine,

I really think you are completely missing the point of what everyone has
said to you on this list.

1. SSL bumping is effectively an MITM attack against users/clients and
they must be aware that it is happening and it must be legal in your
country and also comply with company policy (if this is for corporate use).
2. You *CAN NOT* use a certificate issued by a commercial CA to do SSL
bumping with dynamic certificate generation, full stop. It *CANNOT* work
- if it did, SSL would be utterly useless. For everyone on the internet,
not just your clients.
3. You *CAN NOT* prevent an SSL warning appearing for bumped connections
unless you are able to install on the clients *your own CA cert*, ie
*the very same CA* you use in Squid. Squid will need that CA's private
key to be able to generate certs for every https site your clients visit.

Please read all the Squid docs about SSL and a lot of general info about
how SSL works (ie the trust model) as I feel we are all now at a loss in
helping you further!

Alex


On 29/05/14 20:02, Antoine Klein wrote:

> Thanks for your answers !
>
> Alex your last answer is for me ? What is illegal ?
>
> Finally, i managed to install the certificate, in fact my boss had the
> private key...
>
> So i have another problem, squid start correctly with the certificate
> but on the client with firefox i have this error
> "ssl_error_bad_cert_domain" when i make an HTTPS connexion.
> Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
> clientNegotiateSSL: Error negotiating SSL connection on FD 11:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> (1/0)"
>
> Do you know these errors ?
>
> 2014-05-28 11:39 GMT-04:00 Alex Crow <[hidden email]>:
>> You cannot generate on the fly new certs that are signed by a commercial CA.
>> You need a generated cert for every site your clients visit.
>>
>> And if you are not in control of your clients this would be not only
>> unethical but also most likely illegal - and you won't get any further help
>> from this list with either of those.
>>
>> On 28 May 2014 15:55:04 BST, Antoine Klein <[hidden email]> wrote:
>>> I send back my post because i'm not sur it is sent...
>>>
>>> Ok thanks all !
>>>
>>> I haven't in control of clients so it's the real problem, i can't
>>> install certificate on their smartphone ^^.
>>>
>>> So according to you, if i create a CA with openssl, and create a
>>> certification signing request (.csr) with a private key, and if i send
>>> my csr to a trusted authority to sign it, i could use it in squid
>>> without problem, then clients wouldn't have any warning ?
>>> I would like to be sure to avoid every problem.
>>>
>>> 2014-05-28 2:47 GMT-04:00 Alex Crow <[hidden email]>:
>>>>
>>>>   On 28/05/14 03:43, Amos Jeffries wrote:
>>>>>
>>>>>   On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>>>>
>>>>>>   I want to bump ssl connections, but without produce a warning of
>>>>>> course.
>>>>>>
>>>>>>   I read it is possible to generate a request of certification with a
>>>>>>   key and send this file to an authority to sign it, do you know that ?
>>>>>
>>>>>   Having your cert signed by a widely trusted certificate authority is
>>>>> one
>>>>>   thing, and the basis of how TLS/SSL works.
>>>>>
>>>>>   SSL-bump cannot be used with that type of key for the reasons Alex
>>>>>   already mentioned. He also mentioned the steps you have to take instead
>>>>>   to get it going.
>>>>>
>>>>>   Amos
>>>>
>>>>
>>>>   Hi Antoine,
>>>>
>>>>   You need to be a CA, ie have the CA private key, to be able to do this.
>>>> If
>>>>   you are in control of the clients and know how to use OpenSsl to create
>>>> a CA
>>>>   you can do this without paying any money to anyone. You simply create
>>>> the CA<
>>>>   br />
>>>> and use it and its private key in your ssl-bump configuration.
>>>>
>>>>
>>>>   http_port 3128 sslBump generate-host-certificates=on
>>>>   dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>>>>
>>>>   proxy.pem is your private key and CA certificate concatenated.
>>>>
>>>>   sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>
>>>>   The above line configures the crtd helpers that actually generate the
>>>> certs
>>>>   for the requests, see
>>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>>>
>>>>   Cheers
>>>>
>>>>   Alex
>>>
>>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
Ok i'm really sorry, i don't understand the english very well...
I read again the discussion but i am confused :/

Before this project i had not any knowledge about certificates and SSL
connexions but i did several research on the subject, especially on
squid wiki.
I also read again the documentation here :
http://wiki.squid-cache.org/Features/SslBump
http://wiki.squid-cache.org/Features/DynamicSslCert
http://wiki.squid-cache.org/Features/HTTPS
But nothing concern trusted signed certificate :/

My company wishes to offer to its clients a public WIFI, i need to use
squid for the delay pool, and possibly the cache. There is already a
warning given on the connexion where we have to accept terms of use
which warns the user.

So, according to you, isn't it possible ?
I think it's strange, because the WIFI is deployed, and the connexion
of clients passes by the firewall which already decipher packets.

I don't understand why do you speak about dynamic certificate
generation, does it concern my problem ? Because finally i have the
certificate signed by godaddy and the private key of this certificate.

Anyway, thanks for your patience. :)

2014-05-29 17:14 GMT-04:00 Alex Crow <[hidden email]>:

> Antoine,
>
> I really think you are completely missing the point of what everyone has
> said to you on this list.
>
> 1. SSL bumping is effectively an MITM attack against users/clients and they
> must be aware that it is happening and it must be legal in your country and
> also comply with company policy (if this is for corporate use).
> 2. You *CAN NOT* use a certificate issued by a commercial CA to do SSL
> bumping with dynamic certificate generation, full stop. It *CANNOT* work -
> if it did, SSL would be utterly useless. For everyone on the internet, not
> just your clients.
> 3. You *CAN NOT* prevent an SSL warning appearing for bumped connections
> unless you are able to install on the clients *your own CA cert*, ie *the
> very same CA* you use in Squid. Squid will need that CA's private key to be
> able to generate certs for every https site your clients visit.
>
> Please read all the Squid docs about SSL and a lot of general info about how
> SSL works (ie the trust model) as I feel we are all now at a loss in helping
> you further!
>
> Alex
>
>
>
> On 29/05/14 20:02, Antoine Klein wrote:
>>
>> Thanks for your answers !
>>
>> Alex your last answer is for me ? What is illegal ?
>>
>> Finally, i managed to install the certificate, in fact my boss had the
>> private key...
>>
>> So i have another problem, squid start correctly with the certificate
>> but on the client with firefox i have this error
>> "ssl_error_bad_cert_domain" when i make an HTTPS connexion.
>> Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
>> clientNegotiateSSL: Error negotiating SSL connection on FD 11:
>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>> (1/0)"
>>
>> Do you know these errors ?
>>
>> 2014-05-28 11:39 GMT-04:00 Alex Crow <[hidden email]>:
>>>
>>> You cannot generate on the fly new certs that are signed by a commercial
>>> CA.
>>> You need a generated cert for every site your clients visit.
>>>
>>> And if you are not in control of your clients this would be not only
>>> unethical but also most likely illegal - and you won't get any further
>>> help
>>> from this list with either of those.
>>>
>>> On 28 May 2014 15:55:04 BST, Antoine Klein <[hidden email]> wrote:
>>>>
>>>> I send back my post because i'm not sur it is sent...
>>>>
>>>> Ok thanks all !
>>>>
>>>> I haven't in control of clients so it's the real problem, i can't
>>>> install certificate on their smartphone ^^.
>>>>
>>>> So according to you, if i create a CA with openssl, and create a
>>>> certification signing request (.csr) with a private key, and if i send
>>>> my csr to a trusted authority to sign it, i could use it in squid
>>>> without problem, then clients wouldn't have any warning ?
>>>> I would like to be sure to avoid every problem.
>>>>
>>>> 2014-05-28 2:47 GMT-04:00 Alex Crow <[hidden email]>:
>>>>>
>>>>>
>>>>>   On 28/05/14 03:43, Amos Jeffries wrote:
>>>>>>
>>>>>>
>>>>>>   On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>>>>>
>>>>>>>
>>>>>>>   I want to bump ssl connections, but without produce a warning of
>>>>>>> course.
>>>>>>>
>>>>>>>   I read it is possible to generate a request of certification with a
>>>>>>>   key and send this file to an authority to sign it, do you know that
>>>>>>> ?
>>>>>>
>>>>>>
>>>>>>   Having your cert signed by a widely trusted certificate authority is
>>>>>> one
>>>>>>   thing, and the basis of how TLS/SSL works.
>>>>>>
>>>>>>   SSL-bump cannot be used with that type of key for the reasons Alex
>>>>>>   already mentioned. He also mentioned the steps you have to take
>>>>>> instead
>>>>>>   to get it going.
>>>>>>
>>>>>>   Amos
>>>>>
>>>>>
>>>>>
>>>>>   Hi Antoine,
>>>>>
>>>>>   You need to be a CA, ie have the CA private key, to be able to do
>>>>> this.
>>>>> If
>>>>>   you are in control of the clients and know how to use OpenSsl to
>>>>> create
>>>>> a CA
>>>>>   you can do this without paying any money to anyone. You simply create
>>>>> the CA<
>>>>>   br />
>>>>> and use it and its private key in your ssl-bump configuration.
>>>>>
>>>>>
>>>>>   http_port 3128 sslBump generate-host-certificates=on
>>>>>   dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>>>>>
>>>>>   proxy.pem is your private key and CA certificate concatenated.
>>>>>
>>>>>   sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>>
>>>>>   The above line configures the crtd helpers that actually generate the
>>>>> certs
>>>>>   for the requests, see
>>>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>>>>
>>>>>   Cheers
>>>>>
>>>>>   Alex
>>>>
>>>>
>>>>
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>>
>>
>



--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow
Hi Antoine,

Replies below:

On 30/05/14 15:44, Antoine Klein wrote:

> Ok i'm really sorry, i don't understand the english very well...
> I read again the discussion but i am confused :/
>
> Before this project i had not any knowledge about certificates and SSL
> connexions but i did several research on the subject, especially on
> squid wiki.
> I also read again the documentation here :
> http://wiki.squid-cache.org/Features/SslBump
> http://wiki.squid-cache.org/Features/DynamicSslCert
> http://wiki.squid-cache.org/Features/HTTPS
> But nothing concern trusted signed certificate :/
>
> My company wishes to offer to its clients a public WIFI, i need to use
> squid for the delay pool, and possibly the cache. There is already a
> warning given on the connexion where we have to accept terms of use
> which warns the user.

Who are your "clients" - by which I mean not only what devices/browsers
but also what relationship do they have to your company?

I think (anyone correct me if I'm wrong) that delay pools do not require
you to decrypt *anything*. To cache SSL replies, inspect for
viruses/malware/bad URL paths,  you do need to do so, hence SSLBump.

> So, according to you, isn't it possible ?
> I think it's strange, because the WIFI is deployed, and the connexion
> of clients passes by the firewall which already decipher packets.

I have no idea what you are talking about here. How can your firewall
possibly decipher SSL communications between <some random Wifi Connected
device> and <some web server out on the internet>. Again, this would
mean that SSL would be utterly worthless (which despite recent
developments, it is not). Unless you gor your firewall from the NSA in
which case I'd not recommend advertising that fact on here!



>
> I don't understand why do you speak about dynamic certificate
> generation, does it concern my problem ? Because finally i have the
> certificate signed by godaddy and the private key of this certificate.

I feel like you might be wasting your time (and money) if you paid for
this, You presumably have submitted a CSR for <foo.whatever.domain> to
be signed by Godaddy. and received a certificate (.pem/.p12/.crt
whatever) back How do you propose to use the certificate (which only
certifies that domain) to somehow provide client browsers with a valid
certificate for whatever https:// site they choose to visit? How would a
cert for <foo.whatever.domain> have any use for someone visiting
https://mylittlepony.com (example!). Or have we just completely missed
the point and this SSL stuff is just for your own web server behind
squid - in which case you have gone completely in the wrong direction
and need to be looking at setting up a "reverse prosy", which does not
require SSLBump at all and would indeed work with what you've just done.

>
> Anyway, thanks for your patience. :)

I fear that even if mine does not run out then that of others may do so
first. You really need to state exactly what it is you are trying to
achieve, and this has so far IMHO not happened - and your English is
perfectly good enough to do so.

Thanks

Alex

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
Ok I agree with you, i wasn't clear to describe my issue :/ I'll try
to be more understandable.

My company is a bus company, the Clients aren't specific, they are
like lambda users. In fact, the WIFI is deployed in bus station so
everybody can use this WIFI, and there is not authentification, just a
page to accept terms of use.

I don't need to decrypt SSL, I just need to use Delay Pool, so I
believed it wasn't possible to apply a Delay Pool without decrypt SSL
on HTTPS request, anyway i didn't find how to do that. The cache is an
option but really not necessary.

No it's not a firewall of the NSA :) , anyway i don't believe, it's my
boss who explained me that, the firewall inspect the packets, and he
confirms that it's not illegal else they wouldn't do that.

In my mine, i think when a WIFI user wants to connect on HTTPS page,
the request detect a MITM attack but the certificate assure that it's
normal and secure because godaddy know that we are a trusted company.
After that, the request on the proxy is redirected on specific squid
port, squid decipher the SSL request and it create a new https request
on the web with its certificates from user request.

2014-05-30 11:44 GMT-04:00 Alex Crow <[hidden email]>:

> Hi Antoine,
>
> Replies below:
>
>
> On 30/05/14 15:44, Antoine Klein wrote:
>>
>> Ok i'm really sorry, i don't understand the english very well...
>> I read again the discussion but i am confused :/
>>
>> Before this project i had not any knowledge about certificates and SSL
>> connexions but i did several research on the subject, especially on
>> squid wiki.
>> I also read again the documentation here :
>> http://wiki.squid-cache.org/Features/SslBump
>> http://wiki.squid-cache.org/Features/DynamicSslCert
>> http://wiki.squid-cache.org/Features/HTTPS
>> But nothing concern trusted signed certificate :/
>>
>> My company wishes to offer to its clients a public WIFI, i need to use
>> squid for the delay pool, and possibly the cache. There is already a
>> warning given on the connexion where we have to accept terms of use
>> which warns the user.
>
>
> Who are your "clients" - by which I mean not only what devices/browsers but
> also what relationship do they have to your company?
>
> I think (anyone correct me if I'm wrong) that delay pools do not require you
> to decrypt *anything*. To cache SSL replies, inspect for viruses/malware/bad
> URL paths,  you do need to do so, hence SSLBump.
>
>
>> So, according to you, isn't it possible ?
>> I think it's strange, because the WIFI is deployed, and the connexion
>> of clients passes by the firewall which already decipher packets.
>
>
> I have no idea what you are talking about here. How can your firewall
> possibly decipher SSL communications between <some random Wifi Connected
> device> and <some web server out on the internet>. Again, this would mean
> that SSL would be utterly worthless (which despite recent developments, it
> is not). Unless you gor your firewall from the NSA in which case I'd not
> recommend advertising that fact on here!
>
>
>
>
>>
>> I don't understand why do you speak about dynamic certificate
>> generation, does it concern my problem ? Because finally i have the
>> certificate signed by godaddy and the private key of this certificate.
>
>
> I feel like you might be wasting your time (and money) if you paid for this,
> You presumably have submitted a CSR for <foo.whatever.domain> to be signed
> by Godaddy. and received a certificate (.pem/.p12/.crt whatever) back How do
> you propose to use the certificate (which only certifies that domain) to
> somehow provide client browsers with a valid certificate for whatever
> https:// site they choose to visit? How would a cert for
> <foo.whatever.domain> have any use for someone visiting
> https://mylittlepony.com (example!). Or have we just completely missed the
> point and this SSL stuff is just for your own web server behind squid - in
> which case you have gone completely in the wrong direction and need to be
> looking at setting up a "reverse prosy", which does not require SSLBump at
> all and would indeed work with what you've just done.
>
>
>>
>> Anyway, thanks for your patience. :)
>
>
> I fear that even if mine does not run out then that of others may do so
> first. You really need to state exactly what it is you are trying to
> achieve, and this has so far IMHO not happened - and your English is
> perfectly good enough to do so.
>
> Thanks
>
> Alex
>



--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow

On 30/05/14 21:12, Antoine Klein wrote:
> Ok I agree with you, i wasn't clear to describe my issue :/ I'll try
> to be more understandable.
>
> My company is a bus company, the Clients aren't specific, they are
> like lambda users. In fact, the WIFI is deployed in bus station so
> everybody can use this WIFI, and there is not authentification, just a
> page to accept terms of use.

OK so at least you have something for them to agree to. You have to
state there that the usage including content may be intercepted and
logged - certainly if the laws in your country require you to.

>
> I don't need to decrypt SSL, I just need to use Delay Pool, so I
> believed it wasn't possible to apply a Delay Pool without decrypt SSL
> on HTTPS request, anyway i didn't find how to do that. The cache is an
> option but really not necessary.

I see nothing on the delay pools page to suggest that you need to
decrypt https to make it work.

>
> No it's not a firewall of the NSA :) , anyway i don't believe, it's my
> boss who explained me that, the firewall inspect the packets, and he
> confirms that it's not illegal else they wouldn't do that.

You can't intercept the /content/ of https packets without an MITM attack.

>
> In my mine, i think when a WIFI user wants to connect on HTTPS page,
> the request detect a MITM attack but the certificate assure that it's
> normal and secure because godaddy know that we are a trusted company.
> After that, the request on the proxy is redirected on specific squid
> port, squid decipher the SSL request and it create a new https request
> on the web with its certificates from user request.

SSL does not work like this! If a user requests site
https://mylittlepony.com, they expect the SSL certificate's subject name
to be "mylittlepony.com" not whatever the domain you got for your
godaddy certificate. If the subject name of the cert does not match the
visited site, there will always be a warning in the browser. You also
cannot use the Godaddy cert as a CA cert as the certificate basic
constraints on a commercially issued cert prevent it from being used as
a CA.

You need to create your own CA with a private key, then, and only then,
can you use those two to issue certs, signed by your private key, with
the subject name of each site the clients visit. The clients will still
get a warning as your CA cert is not in their built-in list of trusted CAs.

That is all there is to it. You will in no way be able to get rid of
warnings in the browser without both bumping and dynamic cert
generation, plus your CA (*NOT* GoDaddy's) installed on the clients.

The only way you could do this (and no even marginally savvy user would
ever trust it) would be to used a "browser-in-browser" frame
portal/web-services proxy. This is way out of scope for this list.

But given all you really need is QoS, why don't you either (a) dispense
with Squid and just to QoS on the firewall for your Wifi subnet or (b)
put a transparent firewall between your clients and the Squid server
that does QoS? Or just see if Squid delay pools work for SSL (I think
they *do*, the traffic still passes via Squid as a CONNECT request -
it's just that Squid can't "see" or proxy the plaintext content.)

Cheers

Alex



>
> 2014-05-30 11:44 GMT-04:00 Alex Crow <[hidden email]>:
>> Hi Antoine,
>>
>> Replies below:
>>
>>
>> On 30/05/14 15:44, Antoine Klein wrote:
>>> Ok i'm really sorry, i don't understand the english very well...
>>> I read again the discussion but i am confused :/
>>>
>>> Before this project i had not any knowledge about certificates and SSL
>>> connexions but i did several research on the subject, especially on
>>> squid wiki.
>>> I also read again the documentation here :
>>> http://wiki.squid-cache.org/Features/SslBump
>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>> http://wiki.squid-cache.org/Features/HTTPS
>>> But nothing concern trusted signed certificate :/
>>>
>>> My company wishes to offer to its clients a public WIFI, i need to use
>>> squid for the delay pool, and possibly the cache. There is already a
>>> warning given on the connexion where we have to accept terms of use
>>> which warns the user.
>>
>> Who are your "clients" - by which I mean not only what devices/browsers but
>> also what relationship do they have to your company?
>>
>> I think (anyone correct me if I'm wrong) that delay pools do not require you
>> to decrypt *anything*. To cache SSL replies, inspect for viruses/malware/bad
>> URL paths,  you do need to do so, hence SSLBump.
>>
>>
>>> So, according to you, isn't it possible ?
>>> I think it's strange, because the WIFI is deployed, and the connexion
>>> of clients passes by the firewall which already decipher packets.
>>
>> I have no idea what you are talking about here. How can your firewall
>> possibly decipher SSL communications between <some random Wifi Connected
>> device> and <some web server out on the internet>. Again, this would mean
>> that SSL would be utterly worthless (which despite recent developments, it
>> is not). Unless you gor your firewall from the NSA in which case I'd not
>> recommend advertising that fact on here!
>>
>>
>>
>>
>>> I don't understand why do you speak about dynamic certificate
>>> generation, does it concern my problem ? Because finally i have the
>>> certificate signed by godaddy and the private key of this certificate.
>>
>> I feel like you might be wasting your time (and money) if you paid for this,
>> You presumably have submitted a CSR for <foo.whatever.domain> to be signed
>> by Godaddy. and received a certificate (.pem/.p12/.crt whatever) back How do
>> you propose to use the certificate (which only certifies that domain) to
>> somehow provide client browsers with a valid certificate for whatever
>> https:// site they choose to visit? How would a cert for
>> <foo.whatever.domain> have any use for someone visiting
>> https://mylittlepony.com (example!). Or have we just completely missed the
>> point and this SSL stuff is just for your own web server behind squid - in
>> which case you have gone completely in the wrong direction and need to be
>> looking at setting up a "reverse prosy", which does not require SSLBump at
>> all and would indeed work with what you've just done.
>>
>>
>>> Anyway, thanks for your patience. :)
>>
>> I fear that even if mine does not run out then that of others may do so
>> first. You really need to state exactly what it is you are trying to
>> achieve, and this has so far IMHO not happened - and your English is
>> perfectly good enough to do so.
>>
>> Thanks
>>
>> Alex
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Amos Jeffries
Administrator
On 1/06/2014 3:49 a.m., Alex Crow wrote:
<snip>
>
> But given all you really need is QoS, why don't you either (a) dispense
> with Squid and just to QoS on the firewall for your Wifi subnet or (b)
> put a transparent firewall between your clients and the Squid server
> that does QoS? Or just see if Squid delay pools work for SSL (I think
> they *do*, the traffic still passes via Squid as a CONNECT request -
> it's just that Squid can't "see" or proxy the plaintext content.)
>
I second all of the above. In particular that the built-in QoS features
of the firewall or router device neworking config is far better place to
be doing the delay actions than Squid.

In regards to delay pools and HTTPS. As far as I know the pools work
without decrypting, although you may encounter one of a handful of bugs
which trigger over or under counting of bytes (depending on the bug
hit). So you may need a special delay pool configured with a hack on the
speed value of port 443 traffic to make the user-visible speed what they
expect.

Amos

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
Ok I'm understanding !

Finally I'm going to change strategy, if it isn't possible to decrypt
HTTPS without warning for client, I shall make differently.

So there is two solutions, the first one is to use Squid without
deciphering SSL request. So Amos you explained that but I don't
understand what bugs is encountered. So in this case, how can I
configure Squid ? I didn't find example and I have already asked for
that but i was told it would be impossible, but they were not sure.

The second solution consists in not using Squid, but to apply a QoS
differently, but I need a QoS like the Squid delay pool, do you know
if it is possible ? Alex you already spoken to me about LARTC, but I
need to find a solution quickly, so I fear that it was too long to
understand the Linux QoS possibilities.

Regards.

2014-06-02 10:06 GMT-04:00 Antoine Klein <[hidden email]>:

> Ok I'm understanding !
>
> Finally I'm going to change strategy, if it isn't possible to decrypt HTTPS
> without warning for client, I shall make differently.
>
> So there is two solutions, the first one is to use Squid without deciphering
> SSL request. So Amos you explained that but I don't understand what bugs is
> encountered. So in this case, how can I configure Squid ? I didn't find
> example and I have already asked for that but i was told it would be
> impossible, but they were not sure.
>
> The second solution consists in not using Squid, but to apply a QoS
> differently, but I need a QoS like the Squid delay pool, do you know if it
> is possible ? Alex you already spoken to me about LARTC, but I need to find
> a solution quickly, so I fear that it was too long to understand the Linux
> QoS possibilities.
>
> Regards.
>
>
> 2014-05-31 12:54 GMT-04:00 Amos Jeffries <[hidden email]>:
>
>> On 1/06/2014 3:49 a.m., Alex Crow wrote:
>> <snip>
>> >
>> > But given all you really need is QoS, why don't you either (a) dispense
>> > with Squid and just to QoS on the firewall for your Wifi subnet or (b)
>> > put a transparent firewall between your clients and the Squid server
>> > that does QoS? Or just see if Squid delay pools work for SSL (I think
>> > they *do*, the traffic still passes via Squid as a CONNECT request -
>> > it's just that Squid can't "see" or proxy the plaintext content.)
>> >
>> I second all of the above. In particular that the built-in QoS features
>> of the firewall or router device neworking config is far better place to
>> be doing the delay actions than Squid.
>>
>> In regards to delay pools and HTTPS. As far as I know the pools work
>> without decrypting, although you may encounter one of a handful of bugs
>> which trigger over or under counting of bytes (depending on the bug
>> hit). So you may need a special delay pool configured with a hack on the
>> speed value of port 443 traffic to make the user-visible speed what they
>> expect.
>>
>> Amos
>>
>
>
>
> --
> Antoine KLEIN



--
Antoine KLEIN
Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Alex Crow

On 02/06/14 15:12, Antoine Klein wrote:
> Ok I'm understanding !
>
> Finally I'm going to change strategy, if it isn't possible to decrypt
> HTTPS without warning for client, I shall make differently.
You will have to, as it's impossible to do so without interfering with
the user's client devices.

>
> So there is two solutions, the first one is to use Squid without
> deciphering SSL request. So Amos you explained that but I don't
> understand what bugs is encountered. So in this case, how can I
> configure Squid ? I didn't find example and I have already asked for
> that but i was told it would be impossible, but they were not sure.

Just use delay pools as described in the docs. The "bugs" will not be
showstoppers, they might just bias the pools unexpectedly but given
you'll have lots of random clients it will probably even out.

>
> The second solution consists in not using Squid, but to apply a QoS
> differently, but I need a QoS like the Squid delay pool, do you know
> if it is possible ? Alex you already spoken to me about LARTC, but I
> need to find a solution quickly, so I fear that it was too long to
> understand the Linux QoS possibilities.

How about Shorewall, pfSense, etc? No-one here probably has the time to
give you an out-of box setup that will suit you. I know for sure I
don't. You also have a pre-existing firewall and given it looks fairly
magical it should be able to do per-ip QoS (at least if you just drop
the Squid before it hits the FW)

I can't understand how you've been persuaded to accept a project that
you should have been doing months of research on and then agree to
deliver in days (not knowing what was actually possible). Did you
over-promise you your boss? If so, don't!

I never promise to deliver anything. I give an estimate that is bases on
"(((Time I expect to take this given I know everything *3) + (Time I
think I'll need to find something out when I find I don't know
everything *3)) * (Time it will take me to reconcile what people said
they want vs what thet actually need *3) * 3)". If an external supplier
is involved multiply the whole lot by *at least* 10.

That works out to about 2 months for what your average
client/boss/marketing person says will take a week...

Cheers

Alex






>
> Regards.
>
> 2014-06-02 10:06 GMT-04:00 Antoine Klein <[hidden email]>:
>> Ok I'm understanding !
>>
>> Finally I'm going to change strategy, if it isn't possible to decrypt HTTPS
>> without warning for client, I shall make differently.
>>
>> So there is two solutions, the first one is to use Squid without deciphering
>> SSL request. So Amos you explained that but I don't understand what bugs is
>> encountered. So in this case, how can I configure Squid ? I didn't find
>> example and I have already asked for that but i was told it would be
>> impossible, but they were not sure.
>>
>> The second solution consists in not using Squid, but to apply a QoS
>> differently, but I need a QoS like the Squid delay pool, do you know if it
>> is possible ? Alex you already spoken to me about LARTC, but I need to find
>> a solution quickly, so I fear that it was too long to understand the Linux
>> QoS possibilities.
>>
>> Regards.
>>
>>
>> 2014-05-31 12:54 GMT-04:00 Amos Jeffries <[hidden email]>:
>>
>>> On 1/06/2014 3:49 a.m., Alex Crow wrote:
>>> <snip>
>>>> But given all you really need is QoS, why don't you either (a) dispense
>>>> with Squid and just to QoS on the firewall for your Wifi subnet or (b)
>>>> put a transparent firewall between your clients and the Squid server
>>>> that does QoS? Or just see if Squid delay pools work for SSL (I think
>>>> they *do*, the traffic still passes via Squid as a CONNECT request -
>>>> it's just that Squid can't "see" or proxy the plaintext content.)
>>>>
>>> I second all of the above. In particular that the built-in QoS features
>>> of the firewall or router device neworking config is far better place to
>>> be doing the delay actions than Squid.
>>>
>>> In regards to delay pools and HTTPS. As far as I know the pools work
>>> without decrypting, although you may encounter one of a handful of bugs
>>> which trigger over or under counting of bytes (depending on the bug
>>> hit). So you may need a special delay pool configured with a hack on the
>>> speed value of port 443 traffic to make the user-visible speed what they
>>> expect.
>>>
>>> Amos
>>>
>>
>>
>> --
>> Antoine KLEIN
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

Toinou
> Just use delay pools as described in the docs. The "bugs" will not be showstoppers, they might just bias the pools unexpectedly but given you'll have lots of random clients it will probably even out.

It's the first thing i did, so it works for HTTP Request, but there is
nothing in the documentation which explain the delay pools for HTTPS.
What do I have to do about port 443 ? I must redirect it on Squid to
use the delay pools, so to which port ?


> I can't understand how you've been persuaded to accept a project that you should have been doing months of research on and then agree to deliver in days (not knowing what was actually possible). Did you over-promise you your boss? If so, don't!

In fact, I do an internship to finish my studies. My boss suggested me
this project, and I accepted, I just had theoric knowledge about
network and it was very interessant.
I never promise anything and he know that I'm inexperienced so it's
cool, I have no pressure and I haven't any delay to finish this
project but I just asked if there is a more simple solution.
Nevertheless, I want to find a solution quickly if possible :)

Antoine

2014-06-02 16:57 GMT-04:00 Alex Crow <[hidden email]>:

>
> On 02/06/14 15:12, Antoine Klein wrote:
>>
>> Ok I'm understanding !
>>
>> Finally I'm going to change strategy, if it isn't possible to decrypt
>> HTTPS without warning for client, I shall make differently.
>
> You will have to, as it's impossible to do so without interfering with the
> user's client devices.
>
>
>>
>> So there is two solutions, the first one is to use Squid without
>> deciphering SSL request. So Amos you explained that but I don't
>> understand what bugs is encountered. So in this case, how can I
>> configure Squid ? I didn't find example and I have already asked for
>> that but i was told it would be impossible, but they were not sure.
>
>
> Just use delay pools as described in the docs. The "bugs" will not be
> showstoppers, they might just bias the pools unexpectedly but given you'll
> have lots of random clients it will probably even out.
>
>
>>
>> The second solution consists in not using Squid, but to apply a QoS
>> differently, but I need a QoS like the Squid delay pool, do you know
>> if it is possible ? Alex you already spoken to me about LARTC, but I
>> need to find a solution quickly, so I fear that it was too long to
>> understand the Linux QoS possibilities.
>
>
> How about Shorewall, pfSense, etc? No-one here probably has the time to give
> you an out-of box setup that will suit you. I know for sure I don't. You
> also have a pre-existing firewall and given it looks fairly magical it
> should be able to do per-ip QoS (at least if you just drop the Squid before
> it hits the FW)
>
> I can't understand how you've been persuaded to accept a project that you
> should have been doing months of research on and then agree to deliver in
> days (not knowing what was actually possible). Did you over-promise you your
> boss? If so, don't!
>
> I never promise to deliver anything. I give an estimate that is bases on
> "(((Time I expect to take this given I know everything *3) + (Time I think
> I'll need to find something out when I find I don't know everything *3)) *
> (Time it will take me to reconcile what people said they want vs what thet
> actually need *3) * 3)". If an external supplier is involved multiply the
> whole lot by *at least* 10.
>
> That works out to about 2 months for what your average client/boss/marketing
> person says will take a week...
>
> Cheers
>
> Alex
>
>
>
>
>
>
>
>>
>> Regards.
>>
>> 2014-06-02 10:06 GMT-04:00 Antoine Klein <[hidden email]>:
>>>
>>> Ok I'm understanding !
>>>
>>> Finally I'm going to change strategy, if it isn't possible to decrypt
>>> HTTPS
>>> without warning for client, I shall make differently.
>>>
>>> So there is two solutions, the first one is to use Squid without
>>> deciphering
>>> SSL request. So Amos you explained that but I don't understand what bugs
>>> is
>>> encountered. So in this case, how can I configure Squid ? I didn't find
>>> example and I have already asked for that but i was told it would be
>>> impossible, but they were not sure.
>>>
>>> The second solution consists in not using Squid, but to apply a QoS
>>> differently, but I need a QoS like the Squid delay pool, do you know if
>>> it
>>> is possible ? Alex you already spoken to me about LARTC, but I need to
>>> find
>>> a solution quickly, so I fear that it was too long to understand the
>>> Linux
>>> QoS possibilities.
>>>
>>> Regards.
>>>
>>>
>>> 2014-05-31 12:54 GMT-04:00 Amos Jeffries <[hidden email]>:
>>>
>>>> On 1/06/2014 3:49 a.m., Alex Crow wrote:
>>>> <snip>
>>>>>
>>>>> But given all you really need is QoS, why don't you either (a) dispense
>>>>> with Squid and just to QoS on the firewall for your Wifi subnet or (b)
>>>>> put a transparent firewall between your clients and the Squid server
>>>>> that does QoS? Or just see if Squid delay pools work for SSL (I think
>>>>> they *do*, the traffic still passes via Squid as a CONNECT request -
>>>>> it's just that Squid can't "see" or proxy the plaintext content.)
>>>>>
>>>> I second all of the above. In particular that the built-in QoS features
>>>> of the firewall or router device neworking config is far better place to
>>>> be doing the delay actions than Squid.
>>>>
>>>> In regards to delay pools and HTTPS. As far as I know the pools work
>>>> without decrypting, although you may encounter one of a handful of bugs
>>>> which trigger over or under counting of bytes (depending on the bug
>>>> hit). So you may need a special delay pool configured with a hack on the
>>>> speed value of port 443 traffic to make the user-visible speed what they
>>>> expect.
>>>>
>>>> Amos
>>>>
>>>
>>>
>>> --
>>> Antoine KLEIN
>>
>>
>>
>



--
Antoine KLEIN