Results 1 to 10 of 10

Thread: HTTPS Inspector

  1. #1
    Untangler
    Join Date
    Mar 2014
    Posts
    33

    Default HTTPS Inspector

    Does webcache work with HTTPS inspector to funnel TLS-encrypted traffic through Squid?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Yes.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Mar 2014
    Posts
    33

    Default

    Weird, I don't see any https hits in /var/log/squid/access.log, and strace on the listening Squid process shows no activity on TLS-enabled sites but activity on cleartext.

    I'm kind of curious, conceptually, of how it flows through Squid -- originally I thought HTTPS intercept used Squid for its ssl-bump capabilities, but I've come to find out that isn't the case. I'm assuming that the java used for HTTPS must be forwarding to the Squid engine somehow, or else being cached in a different manner?
    Last edited by alexray92; 08-18-2014 at 04:13 PM.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Indeed, sorry you are right.

    webcache does not subscribe to https inspector's decrypted traffic.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler
    Join Date
    Mar 2014
    Posts
    33

    Default

    Oh wow, the whole https inspector things seems to be written in Java! Seems like a pretty daunting task compared to piggy-backing on Squid 3.x's built-in capabilities, lol

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    most of Untangle is written in java.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangler
    Join Date
    Mar 2014
    Posts
    33

    Default

    Yeah, but it seems to take a pragmatic approach in a lot of places -- using bash scripts to run openssl instead of re-implementing openssl-like tools in Java, for example. I guess it's not so surprising given that Squid's ssl-bump functionality was poorly-implemented for a long time (I remember having to write something like ut-certgen to get it to work due to a bug in the way Squid handled certificate subjects.)

    I get the impression that the Web Cache module is on its way out? Honestly I didn't even want the cache, I just wanted squid so I could pass stuff with ICAP back to a DLP server.

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    only web cache uses squid.
    the whole point to HTTPS inspector is so the apps can inspect HTTPS, squid would not help with that.

    indeed, I would suggest not using web cache unless your web traffic is really fast and you want it to be a bit slower, but i've beat that horse to death several times already.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangler
    Join Date
    Mar 2014
    Posts
    33

    Default

    the whole point to HTTPS inspector is so the apps can inspect HTTPS, squid would not help with that.
    Squid has the ability to do transparent ssl-stripping/MITM in a similar manner to what Untangle has implemented in Java, is what I mean. I was originally looking at squid not for caching, but as a way to get ICAP capabilities so as to integrate Untangle with a DLP product without having to do two separate ssl-stripping steps, since I don't believe Untangle currently supports ICAP natively. Fortinet, McAfee, and Symantec have firewall products that do something like this, for example (not squid, but ICAP for external services).
    Last edited by alexray92; 08-18-2014 at 08:34 PM.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Squid has a way of being an SSL proxy, because it's a proxy... that's not a MITM in the traditional sense because you need to configure the browser to ht it. It can do a transparent too, which would be comparable but it's not terribly good.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2