我正在尝试允许旧系统(CentOS 5.x)继续与服务建立连接,这些服务很快将仅允许 TLS v1.1 或 TLS v1.2 连接(Salesforce、各种支付网关等)
我已经在 Centos 7 服务器上的 docker 容器中安装了 Squid 3.5,并尝试配置鱿鱼来碰撞 SSL 连接。我的想法是,由于鱿鱼充当 MITM 并打开一个到客户端的连接和一个到目标服务器的连接,因此当客户端使用 SSLv3 或 TLS 1.0 连接时,它会协商到目标的 TLS 1.2 连接。
我在这里完全偏离基地了吗?或者这是应该有可能的事情吗?如果 Squid 不能做到这一点,还有其他代理可以吗?
我当前的鱿鱼配置如下所示:
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cache deny all
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1
ssl_bump stare all
ssl_bump bump all
我只需要在步骤 1 中碰撞,而不是偷看或凝视,就可以完成这项工作。我使用的最终配置(带注释)如下:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Write access and cache logs to disk immediately using the stdio module.
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Define ACLs related to ssl-bump steps.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# The purpose of this instance is not to cache, so disable that.
cache_store_log none
cache deny all
# Set up http_port configuration. All clients will be explicitly specifying
# use of this proxy instance, so https_port interception is not needed.
http_access allow all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \
generate-host-certificates=on version=1
# Bump immediately at step 1. Peeking or staring at steps one or two will cause
# part or all of the TLS HELLO message to be duplicated from the client to the
# server; this includes the TLS version in use, and the purpose of this proxy
# is to upgrade TLS connections.
ssl_bump bump step1 all
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)