Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping?

Daniel Greenwald <dig@xxxxxxxxxxx> · Sun, 25 Jan 2015 23:39:57 -0500

Thank you Amos,
Based on your explanation I was able 
to make bumping work for transparent with no browser errors in 3.5.1 by 
using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) :

acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump server-first step2 all

Hope that helps Yuri or any one else with this issue. 

PS So far this is working great for eg gmail.com which in previous version would throw browser errors!

-----------
Daniel I Greenwald

On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

How can that be?

All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,

other sites behaviour depending they (and browsers) settings.

Is it possible to keep server-first behaviour in 3.5.x ?

WBR, Yuri

09.01.2015 16:57, Amos Jeffries пишет:

> On 9/01/2015 11:45 p.m., Yuri Voinov wrote:

>

> > I have working production 3.4.10 with working ssl bumping.

>

> > Config was the same as working 3.4.10. I've just want to take a

> > look on new release.

>

> > in squid.documented said, than backward compatibility server-first

> > and none options for ssl_bump are kept.

>

> > But:

>

> > Neither works with old syntax, nor new.

>

> > Looks like target https hosts not resolved and bump got only IP.

>

> The config values are still accepted, but there is an extra bumping

> stage now before the SNI is available.

>

> You are wanting to peek at stage 1 (to get the client SNI details) and

> server-first/splice at stage 2 (using the domain). Otherwise All Squid

> works with when intercepting are the TCP IPs.

>

> Amos

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4

WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP

wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW

48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX

a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff

p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg=

=OEZu

-----END PGP SIGNATURE-----

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users