On 20/08/2014 1:12 p.m., Eliezer Croitoru wrote: > I wasn't sure but I am now. > You are doing something wrong and I cannot tell what exactly. > Try to share this script output: > http://www1.ngtech.co.il/squid/basic_data.sh > > There are missing parts in the whole setup such as clients IP and server > IP, what GW are you using etc.. > > Eliezer Probably expecting DNS based forgery to hijack the connections is the mistake. When receiving HTTPS all Squid has to work with are the two TCP packet IP addresses. If one of them is the client IP and the other is forged by DNS (unbound), what server is to be contacted? Hostname from the "accel" hack is buried inside the encryption which has not yet arrived from the client. So Squid has to decrypt some future traffic in order to discover what server to contact right now to get the cert details which need to be emitted in order to start decrypting that future traffic. Impossible situation. But Squid is not aware of that, it just uses the TCP packet dst IP (itself) and tries to get server TLS certificate from there. Entering in an infinite loop of lookups instead of a useful decryption. proxyplayer.co.uk; why are you using unbound for this at all? Amos
