Web lists-archives.com

Re: ssl isues are Eating me alive.




On Thu, Apr 13, 2017 at 09:04:01PM +0100, Darac Marjal wrote:
> It looks[1] like Squid can do SSL Interception. I imagine it should be
> possible, therefore, for squid to perform the HTTPS connection and
> either downgrade it to HTTP or to re-encrypt it with a lower grade. YMMV

Well automatic downgrade to HTTP could work, not sure how to implement it,
but often you'll experience issues due to missing SNI support.
For example in the case of elinks you can find the following open wishlist bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797968
So that issue will continue to exist in stretch but that's not the fault of
GNUTLS but an application issue.

In regards of cipher support at least GNUTLS from jessie should work with
most public sites. For wheezy the situation might be more complicated.

Regarding Squid I *think* it's also missing SNI support at the moment and
for sure in wheezy.

Long story short: You need a somewhat recent GNUTLS release (jessie should
be fine) and application level support en par with that.

Sven