我可以使用Squid升级客户端TLS连接吗?
问题描述:
我试图让遗留系统(CentOS 5.x)继续连接服务,这将很快只允许TLS v1.1或TLS v1.2连接(Salesforce,各种支付网关等)我可以使用Squid升级客户端TLS连接吗?
我已经在Docker容器中的Centos 7服务器上安装了Squid 3.5,并试图配置squid来冲突SSL连接。我的想法是,由于squid充当MITM并打开一个连接到客户端,一个连接到目标服务器,它将协商到目标的TLS 1.2连接,而客户端连接到SSLv3或TLS 1.0。
我完全脱离了这里的基地,还是应该这样做?如果Squid不能这样做,还有其他代理可以吗?
我现在的鱿鱼配置是这样的:
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cache deny all
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1
ssl_bump stare all
ssl_bump bump all
答
我能够只在碰撞第一步,而不是偷看或盯着得到这个工作。我使用的最终配置(评论)如下:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Write access and cache logs to disk immediately using the stdio module.
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Define ACLs related to ssl-bump steps.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# The purpose of this instance is not to cache, so disable that.
cache_store_log none
cache deny all
# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \
generate-host-certificates=on version=1
# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.
ssl_bump bump step1 all
+0
警告任何人尝试此配置:它通过从传递给客户端的详细信息中删除* all *服务器TLS安全数据来工作。这会增加各种攻击和其他通信问题的脆弱性。所以尽可能限制step1的使用。 –
嘿 - 我也面对这个,你有没有想过这个? – user1914292