On 15/05/2013 4:30 p.m., neeraj kharbanda wrote:
thanks for reply. What are the work arounds if there are any.
regards
If the "problem" is sites actually using SSL properly. Then no there are
no workarounds. SSL was designed to prevent eavesdropping - it does so
very well when used properly and Squid cannot change or workaround that.
If the problem is alternative protocols in use, then check your using an
up to date Squid release. We have them tunnelling intercepted non-HTTPS
traffic when possible now. The problem is mostly to do with client
handling of the errors though - if thats broken "tough luck".
Amos
On Mon, May 13, 2013 at 4:57 AM, Amos Jeffries wrote:
On 13/05/2013 3:03 a.m., neeraj kharbanda wrote:
Hi,
why some sites dont open when redirected through squid ?? Mostly
secure sites. I'm using snat redirection of iptables.
Because SSL is a security protocol designed to prevent interception such as
NAT.
Any site which is *correctly* using SSL/TLS security procedures with
validation at both client and server ends will not work when NAT'ed to a
proxy. Some sites have been doing that for a long time, and as SSL
interception of half-validating sites is growing in popularity so are the
number of sites which are improving their validations.
Also, port 443 is used for approximately 5 different protocols these days.
HTTPS, WebSockets, and several versions of SPDY. Sites using any of the
non-HTTPS will not work well through an HTTP(S) intercepting Squid.
Amos
