Search squid archive

Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Daniel,

well,

but AFAIK server-first directive is deprecated in 3.5.x.

Hmmmmmm?

26.01.2015 19:37, Daniel Greenwald пишет:
> See below. Nothing else too interesting. Those four lines were the key.
>
> http_port 3128
> http_port 3180 intercept
> https_port 3443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB  cert=/usr/local/squid/ssl_cert/myCA.pem
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 16MB
> sslcrtd_children 10
> logformat dig %{%Y-%m-%d %H:%M:%S}tl  %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A "%{User-Agent}>h"
> logfile_rotate 10
> access_log /var/log/squid/access.log dig
> pinger_enable off
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> ssl_bump peek step1 all
> ssl_bump server-first step2 all
>
> acl SSL_ports port 443
> acl Safe_ports port 80 443 
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
>
> http_access allow all
> http_access deny all
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
>
>
>
>
> -----------
> Daniel I Greenwald
>
>
>
> On Mon, Jan 26, 2015 at 3:28 AM, Rafael Akchurin <rafael.akchurin@xxxxxxxxxxxx <mailto:rafael.akchurin@xxxxxxxxxxxx>> wrote:
>
>     Hello Daniel, Yuri
>
>
>     May be you could dump your whole squid.conf here (please remove any sensitive details).
>
>     I still cannot understand once Squid has the target server hostname from SNI - where is the acl/rule in squid.conf that can be used with this info present?
>
>
>     Best regards,
>
>     Rafael
>
>
>     -------------------------
>     *From:* squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> on behalf of Daniel Greenwald <dig@xxxxxxxxxxx <mailto:dig@xxxxxxxxxxx>>
>     *Sent:* Monday, January 26, 2015 5:39 AM
>     *To:* Yuri Voinov
>     *Cc:* squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>     *Subject:* Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping?
>     
>     Thank you Amos,
>     Based on your explanation I was able to make bumping work for transparent with no browser errors in 3.5.1 by using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) :
>
>     acl step1 at_step SslBump1
>     acl step2 at_step SslBump2
>     ssl_bump peek step1 all
>     ssl_bump server-first step2 all
>
>     Hope that helps Yuri or any one else with this issue.
>
>     PS So far this is working great for eg gmail.com <http://gmail.com> which in previous version would throw browser errors!
>
>     -----------
>     Daniel I Greenwald
>
>
>
>     On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote:
>
>
> How can that be?
>
> All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,
> other sites behaviour depending they (and browsers) settings.
>
> Is it possible to keep server-first behaviour in 3.5.x ?
>
> WBR, Yuri
>
> 09.01.2015 16:57, Amos Jeffries пишет:
> > On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
>
> > > I have working production 3.4.10 with working ssl bumping.
>
> > > Config was the same as working 3.4.10. I've just want to take a
> > > look on new release.
>
> > > in squid.documented said, than backward compatibility server-first
> > > and none options for ssl_bump are kept.
>
> > > But:
>
> > > Neither works with old syntax, nor new.
>
> > > Looks like target https hosts not resolved and bump got only IP.
>
> > The config values are still accepted, but there is an extra bumping
> > stage now before the SNI is available.
>
> > You are wanting to peek at stage 1 (to get the client SNI details) and
> > server-first/splice at stage 2 (using the domain). Otherwise All Squid
> > works with when intercepting are the TCP IPs.
>
> > Amos
>
>         _______________________________________________
>         squid-users mailing list
>         squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>         http://lists.squid-cache.org/listinfo/squid-users
>
>
>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUxmJ7AAoJENNXIZxhPexG/cEIAMm+urebQJM9//zH0ZPdqVDY
SztxbkYnHFU/3oI/Ox6CwBtn7SpvOiZn5fuk+IcKhntmF4a1iIF+jgFJkDexYGJQ
2/orRca1Ud4qExfDwEukEPUh+/4ccIB5mwmpDXRsBqbFsQMdIJeRstSrGeCTmomK
ry8m7KIX+aKb8VS6T9qyBAAoHFHs7Bffy9beJA6e7Tm52tmG/WuLc5hpzKrWYX+w
hAw3NIU8N+z0Gn2hsKphp0tpeO8r/DIUhPRmSqBNUnktzrzJmonsMD4///uCgBwr
D3yYfsiwXjo3cK1rvcCQTQj7VwUtpkZZUasr0n6LamcO/YahFFAwCgG+cm4oPXM=
=LzfY
-----END PGP SIGNATURE-----

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux