On 2014-06-30 07:13, Dan Charlesworth wrote:
No worries.
Sounds like this is the feature you should be waiting with baited
breath for: http://wiki.squid-cache.org/Features/SslPeekAndSplice
I’m not a developer so I have no idea how far along that is right
now.
On 30 Jun 2014, at 11:05 pm, James Lay <jlay@xxxxxxxxxxxxxxxxxxx>
wrote:
On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote:
Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are
another popular one that use pinning.
As far as your broken_sites ACL goes, you can’t use `dstdomain`
because the only thing Squid can see of the destination before
bumping an intercepted connection is the IP address. So for `ssl_bump
none` you’ll need to be use `dst` ACLs instead.
ProTip: Here are the Apple and Akamai public IP blocks (to use in a
dst equivalent of your broken_sites), respectively: 17.0.0.0/8,
23.0.0.0/12.
Good luck
On 30 Jun 2014, at 10:38 pm, James Lay <jlay@xxxxxxxxxxxxxxxxxxx>
wrote:
Topic pretty much says it...most sites work fine using my below
set up,
but some (Apple's app store) do not. I'm wondering if cert
pinning is
the issue? Since this set up is basically two separate sessions,
I
packet captured both. The side the I have control over gives me a
TLS
Record Layer Alert Close Notify. I am unable to decrypt the other
side
as the device in question is an iDevice and I can't capture the
master
secret.
I've even tried to ACL certain sites to not bump, but they don't
go
through. Below is my complete setup. This is running the below:
Ah good catch thank you. I've seen expensive proxy appliances just
tunnel the traffic through, but they get the host and domain name to
all
control...which is really all I'm wanting to do is control what
sites
are allowed. I'll give your suggestions a go...thank you.
James
Thanks Dan..looks like that's what I'll be watching for.
James
