Update: SQUID transparent SSL interception : Squid v3.2

In order to keep this blog post a bit more relevant, there have been some improvements since that post was written. Squid v3.2 has been released earlier this year, making ssl interception more seamless and easier. The new features for HTTPS interception can be found while reading through the man page for http_port: http://www.squid-cache.org/Versions/v3/3.2/cfgman/http_port.html More specifically: … Continue reading Update: SQUID transparent SSL interception : Squid v3.2

Advertisements

SQUID transparent SSL interception

July 2012: Small update on new versions of squid (squid v 3.2) here There seems to be a bit of confusion about configuring SQUID to transparently intercept SSL (read: HTTPS) connections. Some sites say it’s plain not possible: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3 Recent development in SQUID features have made this possible. This article explores how to set this up … Continue reading SQUID transparent SSL interception

SSL session ID & IPS

Intermittent access issues to HTTPS sites… Issue : Randomly, the same HTTPS site would sometimes not respond. IE would show its very unhelpful “page cannot be displayed” while firefox displays the slightly more descriptive “peer recieved a valid certificate but access denied” Cause (in this case) : An upstream Fortigate IPS was dropping “unknown” SSL … Continue reading SSL session ID & IPS

Redirecting HTTPS sites using ProxySG

Some customers often ask when using a proxy, if it’s possible to redirect one HTTPS site to another. IE will not accept a non-2xx code in response to an HTTPS. Officially, there is nothing more to it, it’s not possible… I have a workaround/hack for this. Please be aware that I provide this to you … Continue reading Redirecting HTTPS sites using ProxySG

Using client certificate authentication w/ BC ProxySG

Had to deal with an interesting case lately. This is what the customer wanted: as you can see, the link between the client and the ProxySG is to be negotiated using HTTPS, while the link between the ProxySG and the OCS is to be plain old HTTP. This is easily handled by the ProxySG when … Continue reading Using client certificate authentication w/ BC ProxySG

Nugget post: Lessons learned in SSH password-less login

There are plenty of guides on how to setup SSH login to a remote host without having to provide a password. The one I followed was: http://www.cyberciti.biz/faq/ssh-password-less-login-with-dsa-publickey-authentication/ It essentially is just creating a pair of files on your local machine: your private key and your public key. The public key must be sent to the … Continue reading Nugget post: Lessons learned in SSH password-less login

Exporting / saving decrypted data from wireshark

Elaborating on my previous post, “Decrypting https traffic with bluecoat reverse proxy” in support or troubleshooting situations most of the time the end client would not be willing to give up any private keys. This is of course understandable given the fact that this could lead to a security system compromise, which would necessitate a … Continue reading Exporting / saving decrypted data from wireshark