Search squid archive

Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Daniel, Yuri


May be you could dump your whole squid.conf here (please remove any sensitive details).

I still cannot understand once Squid has the target server hostname from SNI - where is the acl/rule in squid.conf that can be used with this info present?


Best regards,

Rafael


From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of Daniel Greenwald <dig@xxxxxxxxxxx>
Sent: Monday, January 26, 2015 5:39 AM
To: Yuri Voinov
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping?
 
Thank you Amos,
Based on your explanation I was able to make bumping work for transparent with no browser errors in 3.5.1 by using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) :

acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump server-first step2 all

Hope that helps Yuri or any one else with this issue.

PS So far this is working great for eg gmail.com which in previous version would throw browser errors!

-----------
Daniel I Greenwald



On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How can that be?

All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,
other sites behaviour depending they (and browsers) settings.

Is it possible to keep server-first behaviour in 3.5.x ?

WBR, Yuri

09.01.2015 16:57, Amos Jeffries пишет:
> On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
>
> > I have working production 3.4.10 with working ssl bumping.
>
> > Config was the same as working 3.4.10. I've just want to take a
> > look on new release.
>
> > in squid.documented said, than backward compatibility server-first
> > and none options for ssl_bump are kept.
>
> > But:
>
> > Neither works with old syntax, nor new.
>
> > Looks like target https hosts not resolved and bump got only IP.
>
> The config values are still accepted, but there is an extra bumping
> stage now before the SNI is available.
>
> You are wanting to peek at stage 1 (to get the client SNI details) and
> server-first/splice at stage 2 (using the domain). Otherwise All Squid
> works with when intercepting are the TCP IPs.
>
> Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4
WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP
wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW
48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX
a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff
p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg=
=OEZu
-----END PGP SIGNATURE-----

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux