我正在尝试允许遗留系统(CentOS 5.x)继续与服务建立连接,这些服务很快将仅允许TLS v1.1或TLS v1.2连接(Salesforce,各种支付网关等)
我已经在Docker容器中的Centos 7服务器上安装了Squid 3.5,并且我正在尝试配置squid以阻止SSL连接。我的想法是,因为squid充当MITM并打开一个连接到客户端,一个连接到目标服务器,它将协商与目标的TLS 1.2连接,而客户端则连接SSLv3或TLS 1.0。
我完全偏离这里,或者这应该是可能的吗?如果Squid不能这样做,还有其他代理吗?
我目前的鱿鱼配置如下:
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cache deny all
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1
ssl_bump stare all
ssl_bump bump all
答案 0 :(得分:0)
我能够通过在第1步碰撞而不是偷看或凝视来实现这一点。我使用的最终配置(带注释)如下:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Write access and cache logs to disk immediately using the stdio module.
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Define ACLs related to ssl-bump steps.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# The purpose of this instance is not to cache, so disable that.
cache_store_log none
cache deny all
# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \
generate-host-certificates=on version=1
# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.
ssl_bump bump step1 all