我可以使用Squid升級客戶端TLS連接嗎？

Question

我試圖讓遺留系統（CentOS 5.x）繼續連接服務，這將很快只允許TLS v1.1或TLS v1.2連接（Salesforce，各種支付網關等）

我已經在Docker容器中的Centos 7服務器上安裝了Squid 3.5，並試圖配置squid來衝突SSL連接。我的想法是，由於squid充當MITM並打開一個連接到客戶端，一個連接到目標服務器，它將協商到目標的TLS 1.2連接，而客戶端連接到SSLv3或TLS 1.0。

我完全脫離了這裏的基地，還是應該這樣做？如果Squid不能這樣做，還有其他代理可以嗎？

我現在的魷魚配置是這樣的：

access_log  /var/log/squid/access.log 
cache_log  /var/log/squid/cache.log 

cache_store_log none 
cache   deny all 

http_access  allow all 
http_port  3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on version=1 

ssl_bump  stare all 
ssl_bump  bump all 

Answer 1

我能夠只在碰撞第一步，而不是偷看或盯着得到這個工作。我使用的最終配置（評論）如下：

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB 

# Write access and cache logs to disk immediately using the stdio module. 

access_log stdio:/var/log/squid/access.log 
cache_log /var/log/squid/cache.log 

# Define ACLs related to ssl-bump steps. 

acl step1 at_step SslBump1 
acl step2 at_step SslBump2 
acl step3 at_step SslBump3 

# The purpose of this instance is not to cache, so disable that. 

cache_store_log none 
cache   deny all 

# Set up http_port configuration. All clients will be explicitly specifying 
# use of this proxy instance, so https_port interception is not needed. 

http_access allow all 
http_port 3128 ssl-bump cert=/etc/squid/certs/squid.pem \ 
      generate-host-certificates=on version=1 

# Bump immediately at step 1. Peeking or staring at steps one or two will cause 
# part or all of the TLS HELLO message to be duplicated from the client to the 
# server; this includes the TLS version in use, and the purpose of this proxy 
# is to upgrade TLS connections. 

ssl_bump bump step1 all