On 06/27/2014 07:44 AM, Dieter Bloms wrote: > I use squid 3.4.5 and sslbump works great for the most big sites like > google and facebook .... > > There are some destinations, which share there ip with other virual > webserver, so the client gets a default certificate from the server with a > wrong CN. With SNI the client get the right certificate with the correct > CN. > I configured "ssl_bump server-first all", but to me it looks like squid > doesn't do SNI and so gets the wrong certificate. You are correct. With server-first bumping, Squid does not know client SNI when establishing the connection with the server. With client-first bumping, Squid knows client SNI (IIRC), but does not know the server certificate details when establishing the connection with the client and so it cannot mimic some important ones. Pick your poison. > Does anybody know a workaround for this problem ? Unfortunately, there is no way to detect SNI presence using ACLs right now. Furthermore, client-first is not compatible with many transactions, especially if you intercept. You can use TCP/IP-level information to instruct Squid to use client-first bumping for sites that require SNI _and_ appear to work in client-first mode (if any). The Peek and Splice project lays the groundwork for proper SNI support, but there is currently no volunteer or sponsor for the SNI-specific changes IIRC: http://wiki.squid-cache.org/Features/SslPeekAndSplice Cheers, Alex.
