Hi!
I am using squid 3.5 with ssl_bump and icap to scan https traffic.
My main problem are untrusted certificates.
At the moment, squid does two things:
- If I open https-sites with trusted certificates, ssl_bump intercepts the connections with a dynamically generated certificate, signed with my own CA
- If I open https-sites with untrusted certificates, I get an error message:
TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
This is technically correct, but I want to have the possibility to get the warning and to be able to press "proceed"
My goal would be something like Fortinet does with their Fortigates: They sign the dynamically generated certs with two different CAs:
- CA-trusted
- CA-untrusted
--> The user can proceed, if he knows, what he does
Do you have any idea on how to solve this
Thank you and best wishes
Stril
I am using squid 3.5 with ssl_bump and icap to scan https traffic.
My main problem are untrusted certificates.
At the moment, squid does two things:
- If I open https-sites with trusted certificates, ssl_bump intercepts the connections with a dynamically generated certificate, signed with my own CA
- If I open https-sites with untrusted certificates, I get an error message:
TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
This is technically correct, but I want to have the possibility to get the warning and to be able to press "proceed"
My goal would be something like Fortinet does with their Fortigates: They sign the dynamically generated certs with two different CAs:
- CA-trusted
- CA-untrusted
--> The user can proceed, if he knows, what he does
Do you have any idea on how to solve this
Thank you and best wishes
Stril