Feature #1775

SSL proxy

Added by Giacomo Sanchietti over 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

Add SSL to proxy implementing a MITM attack scenario.

Candidate: SQUID 3.3

Related issues

Related to NethServer 6 - Feature #1773: Proxy server CLOSED

Associated revisions

Revision 8be9ccc6
Added by Giacomo Sanchietti about 8 years ago

nethserver-base-check-certificate: always regenerate default certificates. Usefull for services like squid. Refs #1775

Revision dc11d159
Added by Giacomo Sanchietti about 8 years ago

nethserver-base-check-certificate: always regenerate default certificates. Usefull for services like squid. Refs #1775

History

#1 Updated by Giacomo Sanchietti over 8 years ago

  • Target version changed from ~FUTURE to v6.4-beta2

#2 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from NEW to ON_QA
  • % Done changed from 0 to 80

Each client must import NSRV.crt as root CA.

#4 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_QA to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 80 to 30

Needs documentation.

#5 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70

Implementation is nethserver-squid package.

#6 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 70 to 80
Test packages:
  • nethserver-squid-1.0.0-1
  • squid-3.3.5-1
Testing instructions:
  • Install: yum --enablerepo=nethserver-testing install nethserver-squid
  • Enable transprent_ssl mode using web interface
  • Install server certificate on a client
  • Try to open an ssl site

#7 Updated by Davide Principi about 8 years ago

  • Assignee deleted (Giacomo Sanchietti)

ON_QA: Assignee reset

#8 Updated by Davide Principi about 8 years ago

  • Assignee set to Davide Principi

#9 Updated by Davide Principi about 8 years ago

  • Parent task set to #1774

Added reference to #1773

#10 Updated by Davide Principi about 8 years ago

  • Parent task deleted (#1774)

oops

#11 Updated by Davide Principi about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

  • NethServer server&gateway
  • Client WinXP
  • server-manager certificate installed as trusted root CA
Tested Transparent SSL PASSED
  • IE 6.0 :\ OK
  • Firefox 22.0 OK

Squid returns its trusted certificate only if the remote site has a trusted certificate.

If the remote site is not trusted, an untrusted certificate (built on the fly) is returned to the client. The common name (CN) field of a such certificate contains the string

Not trusted by "yourserver.domain"

RPMs:

nethserver-smartd-1.0.0-1.ns6.noarch
postfix-2.9.6-2.ns6.x86_64
nethserver-lightsquid-1.0.2-1.ns6.noarch
nethserver-nethgui-1.2.2-1.ns6.noarch
dovecot-antispam-0.0.49-1.ns6.x86_64
nethserver-backup-config-1.0.3-1.ns6.noarch
nethserver-samba-1.3.6-1.ns6.noarch
nethserver-httpd-admin-1.0.4-1.ns6.noarch
nethserver-openssh-1.0.2-1.ns6.noarch
nethserver-shorewall-1.0.0-1.ns6.noarch
nethserver-lib-1.3.0-1.ns6.noarch
nethserver-directory-1.2.2-1.ns6.noarch
nethserver-antivirus-1.0.3-1.ns6.noarch
nethserver-mail-common-1.2.1-1.ns6.noarch
nethserver-php-1.1.0-1.ns6.noarch
nethserver-ntp-1.0.4-1.ns6.noarch
nethserver-httpd-2.2.1-1.ns6.noarch
nethserver-firewall-base-1.0.3-1.ns6.noarch
nethserver-yum-1.1.1-1.ns6.noarch
nethserver-mail-server-1.4.4-1.ns6.noarch
nethserver-hosts-1.0.4-1.ns6.noarch
nethserver-grub-1.0.1-1.ns6.noarch
nethserver-squid-1.0.2-1.ns6.noarch
nethserver-base-1.4.0-1.ns6.noarch
nethserver-mail-filter-1.1.1-1.ns6.noarch
nethserver-dnsmasq-1.0.4-1.ns6.noarch

#12 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF