我可以使用 Squid 升级客户端 TLS 连接吗? [英] Can I use Squid to upgrade client TLS connections?
问题描述
我正在尝试允许旧系统 (CentOS 5.x) 继续连接到很快将只允许 TLS v1.1 或 TLS v1.2 连接(Salesforce、各种支付网关等)的服务.
我已经在 docker 容器中的 Centos 7 服务器上安装了 Squid 3.5,并且正在尝试配置 squid 来碰撞 SSL 连接.我的想法是,由于 squid 充当 MITM 并打开一个到客户端的连接和一个到目标服务器的连接,它会协商到目标的 TLS 1.2 连接,而客户端正在连接 SSLv3 或 TLS 1.0.
我在这里完全不在基地,或者这应该是可能的吗?如果 Squid 不能做到这一点,还有其他代理可以吗?
我当前的鱿鱼配置如下:
access_log/var/log/squid/access.logcache_log/var/log/squid/cache.logcache_store_log 无缓存拒绝所有http_access 允许所有http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1ssl_bump 盯着所有ssl_bump 全部碰撞我能够通过只在 step1 处碰一下,而不是偷看或凝视来解决这个问题.我使用的最终配置(带注释)如下:
sslcrtd_program/usr/lib64/squid/ssl_crtd -s/var/lib/ssl_db -M 4MB# 使用 stdio 模块立即将访问和缓存日志写入磁盘.access_log stdio:/var/log/squid/access.logcache_log/var/log/squid/cache.log# 定义与ssl-bump步骤相关的ACL.acl step1 at_step SslBump1acl step2 at_step SslBump2acl step3 at_step SslBump3# 这个实例的目的不是缓存,所以禁用它.cache_store_log 无缓存拒绝所有# 设置http_port 配置.所有客户都将明确指定# 使用这个代理实例,所以不需要拦截https_port.http_access 允许所有http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \generate-host-certificates=on version=1# 在第 1 步立即颠簸.偷看或盯着第 1 步或第 2 步会导致# 部分或全部 TLS HELLO 消息要从客户端复制到# 服务器;这包括正在使用的 TLS 版本,以及此代理的目的# 是升级 TLS 连接.ssl_bump 凹凸 step1 全部I'm trying to allow legacy systems (CentOS 5.x) to continue making connections to services which will shortly allow only TLS v1.1 or TLS v1.2 connections (Salesforce, various payment gateways, etc.)
I have installed Squid 3.5 on a Centos 7 server in a docker container, and am trying to configure squid to bump the SSL connections. My thought was that since squid acts as a MITM and opens one connection to the client and one to the target server that it would negotiate a TLS 1.2 connection to the target, while the client was connecting with SSLv3 or TLS 1.0.
Am I totally off-base here, or is this something that should be possible? If Squid can't do this, are there other proxies which can?
My current squid configuration looks like this:
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cache deny all
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1
ssl_bump stare all
ssl_bump bump all
I was able to get this working by only bumping at step1, and not peeking or staring. The final configuration that I used (with comments) is below:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Write access and cache logs to disk immediately using the stdio module.
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Define ACLs related to ssl-bump steps.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# The purpose of this instance is not to cache, so disable that.
cache_store_log none
cache deny all
# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \
generate-host-certificates=on version=1
# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.
ssl_bump bump step1 all
这篇关于我可以使用 Squid 升级客户端 TLS 连接吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
