On 10/20/2014 04:22 PM, Jason Haar wrote: > Both Chrome and Firefox support talking to proxies using SSL (wpad type > "HTTPS" instead of "PROXY"). I did not know that support was added to major browsers. Any pointers to the relevant configuration knobs? Can it be configured without WPAD? > I'm trying to test that out against my > ssl-bump enabled squid proxy and it's causing an infinite loop > > Basically if I do something like > > (sleep 2;echo -ne "GET http://slashdot.org/ HTTP/1.0\r\n\r\n"; sleep > 4)|openssl s_client -connect localhost:3129 > > against a squid-3.4.8 proxy set up with > > https_port 3129 ssl-bump intercept You are connecting directly to an interception port. I do not think that is allowed. Interception assumes the client connection was intended for a non-Squid address. When you break that assumption, you may get a loop. If you remove SslBump and intercept options from https_port, then Squid should be able to accept and decode the SSL connection, and receive a plain GET request inside it. Please note that I am not sure Squid can currently *bump* CONNECT requests directed at https_port inside an SSL connection. It is technically possible, but I am not sure we have the code to actually do that. I suspect Squid may assume that there is at most one SSL wrapper for a connection. Supporting multiple SSL layers while bumping the inner CONNECT may need testing and possibly development. HTH. Alex. > http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert > capath=/etc/ssl/certs/ generate-host-certificates=on > dynamic_cert_mem_cache_size=256MB options=ALL > https_port 3129 ssl-bump intercept > cert=/usr/local/squid/etc/squidCA.cert capath=/etc/ssl/certs/ > generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
