SSL in transparent mode

557 views
Skip to first unread message

luce...@gmail.com

unread,
Dec 3, 2015, 3:26:31 AM12/3/15
to e2guardian
Hi,

First thank you for developing this application. It does the job as should maybe except SSL MITM ;), thats why I'm writing here.

I ask is: how to configure it to SSL MITM could work ? AFAIK E2Guardian supports that but nowhere can find documentation for this, even in sources of it.

I tried to guess how to set it but nothing, always I have in webbrowser "ssl_error_rx_record_too_long", despite that certificate from gateway is added to webbrowser.

Most important questions are:
- how to redirect packets in iptables ? to 8080 port or to another on which E2Guardian should listen ?
- to which port I should recirect traffic from E2Guardian to Squid ? again... to the same Squid port or to the second Squid (for https) port ?
- can you explain better what for are these options?:
sslcertificatepath
cacertificatepath
caprivatekeypath
certprivatekeypath
I know I should sign the traffic on it by CA certifiate but I'm confused for what exactly are these 4 options.

Please help me with this implementation, on the occasion propably to many others.
Regards, wrkilu

luce...@gmail.com

unread,
Dec 3, 2015, 3:29:52 AM12/3/15
to e2guardian, luce...@gmail.com


I should add I have E2Guardian installed from source in version:
# e2guardian -v
e2guardian 3.2.0
Built with: '--prefix=/opt' '--enable-sslmitm'

FredB

unread,
Dec 3, 2015, 5:57:24 AM12/3/15
to e2gua...@googlegroups.com

Currently e2guardian will only filter SSL, SSLMITM or not, when proxy is
explicitly set in the browser

luce...@gmail.com

unread,
Dec 3, 2015, 11:40:08 AM12/3/15
to e2guardian
On Thursday, December 3, 2015 at 11:57:24 AM UTC+1, FredB wrote:
> Currently e2guardian will only filter SSL, SSLMITM or not, when proxy is
> explicitly set in the browser

Big shame then :( , does anybody know when and if at all this functional will be ?

wrkilu

Philip Pearce

unread,
Dec 3, 2015, 4:08:31 PM12/3/15
to lucek com, e2guardian
It is on the 'wish list' for the next major version (v4) expected to be released some time next year.

Even when available, transparent SSL will never fully replace explicit proxy as transparent SSL interception has only limited possible functionality compared to explicit SSL proxy, so could only be really used as a last resort.

Regards

Philip

--
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

luce...@gmail.com

unread,
Dec 4, 2015, 6:44:11 AM12/4/15
to e2guardian, luce...@gmail.com, philip...@e2bn.org
On Thursday, December 3, 2015 at 10:08:31 PM UTC+1, Philip wrote:
> It is on the 'wish list' for the next major version (v4) expected to be released some time next year.
>
> Even when available, transparent SSL will never fully replace explicit proxy as transparent SSL interception has only limited possible functionality compared to explicit SSL proxy, so could only be really used as a last resort.
>
>
> Regards
>
> Philip
>

Ok , anyway this is very important thing, nowadays more and more sites become on https. So we're waiting for that feature ;)

Regards
wrkilu


Reply all
Reply to author
Forward
0 new messages