Intercepting HTTPS Proxy



  • Does anyone know how to setup an intercepting proxy for HTTPS connections?

    I would like to proxy all web browsing (both HTTP and HTTPS) through my firewall for content filtering in order to block certain sites. I have already searched these forums and other sites, but they only mention how to setup "transparent proxies" and "reverse proxies" (for servers) but these solutions do not apply. For the intercepting proxy to function correctly (ie view the payload), it must break the chain-of-trust for the SSL connection by modifying the request/response to (1) terminate the initial SSL transaction, (2) forward the payload to any content filters, (3) and then initiate a new SSL transaction for the response. This will obviously present the client with a mismatched certificate warning, but I am willing to accept that.

    I know this is possible with commercial firewall devices that are currently employed by various government and DOD networks. But can this be done using pfSense, Squid, etc?

    Thank you,
    Marcin



  • I think that I may have found the solution:

    http://wiki.squid-cache.org/Features/SslBump
    http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interception/

    I will attempt this solution and post my results.



  • I think this is possible if you do NOT use tranparent proxy and hardcode the proxy IP and port into the client's browser.


  • Rebel Alliance Developer Netgate

    There are very hackish ways to hijack ssl but it involves installing a certificate on the client machine, which essentially completely breaks the trust of SSL in such a way to make it useless. (There are also rumors that China/FBI/NSA/CIA/etc have "special" trusted CA certs on sniffer devices that essentially do the same… but I haven't seen any real evidence, though it is a fun theory)

    If you don't control the clients, you can't transparently proxy ssl. If you do control the clients, you're much better off doing as Nachtfalke suggested and hard coding the proxy information on the clients. Then you don't need to hack anything or install any certificates.


Locked