我试图让遗留系统(CentOS 5.x)继续连接到服务,这些服务很快将只允许 TLS v1.1 或 TLS v1.2 连接(Salesforce、各种支付网关等)
我已经在 docker 容器中的 Centos 7 服务器上安装了 squid 3.5,并且正在尝试配置 squid 以触发 SSL 连接。我的想法是,由于 squid 充当 MITM 并打开一个到客户端的连接和一个到目标服务器的连接,因此它将协商到目标的 TLS 1.2 连接,而客户端正在使用 SSLv3 或 TLS 1.0 连接。
我在这里完全偏离基地,还是这应该是可能的?如果 Squid 不能做到这一点,还有其他代理可以吗?
我当前的鱿鱼配置如下所示:
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cache deny all
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1
ssl_bump stare all
ssl_bump bump all
我仅通过在第 1 步碰撞而不是偷看或凝视就能够使它正常工作。我使用的最终配置(带注释)如下:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Write access and cache logs to disk immediately using the stdio module.
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Define ACLs related to ssl-bump steps.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# The purpose of this instance is not to cache, so disable that.
cache_store_log none
cache deny all
# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \
generate-host-certificates=on version=1
# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.
ssl_bump bump step1 all