On 01.02.2015 19:50, Yuri Voinov wrote:
02.02.2015 0:46, Amos Jeffries пишет:On 2/02/2015 7:16 a.m., Yuri Voinov wrote:01.02.2015 23:48, Walter H. пишет:Hello,<snip>acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.atbanking.ing-diba.at ebanking.easybank.at services.kepler.at www.kepler.at www.rcb.atacl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com ssl_bump none ssl_bump_domains_bankingsites ssl_bump none ssl_bump_domains_msftupdates ssl_bump server-first allYou do it wrong. You don't know site names BEFORE bump.No. His http_port settings are those which match a proxy being configured explicitly in the brower, which means CONNECT messages with domain name expected to be present.Oh, of course. I compare it with my interception configuration. :) But ip-based dst acl for bankings will works in any case. Just pass-through banking IP without bump - and, viola! - they works. Yes?
I have a few more lines before ssl-bump server-first all in my squid.confacl ssl_bump_domains_none_list dstdomain "/etc/squid/sslbumpnonedomains-list-acl.squid" acl ssl_bump_domains_none_regex dstdom_regex -i "/etc/squid/sslbumpnonedomains-regex-acl.squid" acl ssl_bump_domains_clntfrst_list dstdomain "/etc/squid/sslbumpclntfrstdomains-list-acl.squid" acl ssl_bump_domains_clntfrst_regex dstdom_regex -i "/etc/squid/sslbumpclntfrstdomains-regex-acl.squid"
ssl_bump none ssl_bump_domains_none_list ssl_bump none ssl_bump_domains_none_regex ssl_bump client-first ssl_bump_domains_clntfrst_list ssl_bump client-first ssl_bump_domains_clntfrst_regexand any host in one of these files is either not bumped or bumped with client-first - google's domains are the FF problem, this is the workaround
attached is the certificate chain the is shown in Google Chrome of this banking site, that makes problems ...It might not be, which could be the problem. But that can only known by looking at the CONNECT request message itself. Amos
by the way, without squid it is the same ..., why? what goes wrong? the reason why not bumping banking sites is the following:I have a VM that is used only for electronic banking, and there I didn't install my CAs root and the SSL-bump CA certificate; so any SSL site that has nothing to do with banking will not work, and that should it be;
Greetings, Walter
-----BEGIN CERTIFICATE----- MIIGkDCCBXigAwIBAgIQYkb1C4g8q44Kkus/tiL3fjANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMTIyMDAwMDAwWhcNMTYwMTI2 MjM1OTU5WjCCARcxEzARBgsrBgEEAYI3PAIBAxMCREUxIjAgBgsrBgEEAYI3PAIB AQwRRnJhbmtmdXJ0IGFtIE1haW4xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0 aW9uMREwDwYDVQQFEwhIUkIgNzcyNzELMAkGA1UEBhMCREUxDjAMBgNVBBEMBTYw NDg2MQ8wDQYDVQQIDAZIZXNzZW4xGjAYBgNVBAcMEUZyYW5rZnVydCBhbSBNYWlu MR4wHAYDVQQJDBVUaGVvZG9yLUhldXNzLUFsbGVlIDIxFDASBgNVBAoMC0lORy1E aUJhIEFHMQwwCgYDVQQLDANJVEkxHDAaBgNVBAMME2JhbmtpbmcuaW5nLWRpYmEu YXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0I92WSwNCHidlOXcT PW2hnOw3nj3zQd1pcSzFfuLn0CUVg9l8m55r9xv//rj+1DXxEB4R6blpabw3UDJn 7/6TjpeNUzPBN1f72kYEOCvg1AQtrDYGa9FjgEd6XZMMhhMt7+hyZace62uVwS1E GfT+eh4uQc2M8HNvzCuvtK087nDk0M2eNZ+K0DnUfr/1wmkZBDUJeYaFPSW/G+3G la17OxAOccpK3uPQBbHvV/kCoVxYFQDlWh3sNkW4kpj0eM/4uotXEe5cGEcxuR+E 4sx/vzMcNntnxZ9pD2KdyiBfSKyJYfty0SLr2nxlHHk1SShqHDKwPTfGb6v2wS/n nIMxAgMBAAGjggJ0MIICcDAeBgNVHREEFzAVghNiYW5raW5nLmluZy1kaWJhLmF0 MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcGMEwwIwYIKwYBBQUH AgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBz Oi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFAFZq+fdOgtZpmRj1s8gB1fV kedqMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3Js MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NyLnN5bWNkLmNv bTAmBggrBgEFBQcwAoYaaHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcnQwggEDBgor BgEEAdZ5AgQCBIH0BIHxAO8AdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80O yA3cEAAAAUsR9tHWAAAEAwBGMEQCIDkjKUNWLfk1f5f90CNgM/910+D2BGOoErHo 9CKJlAbNAiAE8DSFnN3SGco0yqO5GLtkjH9ygWmizpKLnP2E4vauvQB2AFYUBpov 18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABSxH205YAAAQDAEcwRQIgFA/3 EtWgoVnRZrTjAtgbcjKKtNQLbZI525wsvRu4k3QCIQCiEqbGpzCY0IHI5Gq7W+be 4acuWPou7nmH9iS4/SdfQzANBgkqhkiG9w0BAQsFAAOCAQEAB6jooQYCh5za9pJN PUtys2mI/cAkMeoy+QE3YtF3oLP+9k6ausZ8bvKT5WOU+dPH7m8PHObj1n7upd2w 6M+opWrggjuM9FQigaQsfi8fP0wZwF19X+zfK4DqnoRVDTf7VcJY5kHG67a6e8rt JXQ0G6UUT7F7oSktZ/dOWRC/8lQJ/baBSG76e3SfUKaGMd02WQZCbiYxZh0gOFJL aozQNksMJMYK5AT2muMXiBJDLVU53RohifVvtZqkJ7qIuaQhJ3jQhXgAn3zrXGzp +E6DtcUkcMp9lVrLRRp2eY6OZbbrl5GgSg+rEQkuo9lqmeBwZDKnuO/+7KZzfBg9 InYzeA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFKzCCBBOgAwIBAgIQfuFKb2/v8tN/P61lTTratDANBgkqhkiG9w0BAQsFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB3MQsw CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVjIENs YXNzIDMgRVYgU1NMIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDYoWV0I+grZOIy1zM3PY71NBZI3U9/hxz4RCMTjvsR2ERaGHGOYBYmkpv9 FwvhcXBC/r/6HMCqo6e1cej/GIP23xAKE2LIPZyn3i4/DNkd5y77Ks7Imn+Hv9hM BBUyydHMlXGgTihPhNk1++OGb5RT5nKKY2cuvmn2926OnGAE6yn6xEdC0niY4+wL pZLct5q9gGQrOHw4CVtm9i2VeoayNC6FnpAOX7ddpFFyRnATv2fytqdNFB5suVPu IxpOjUhVQ0GxiXVqQCjFfd3SbtICGS97JJRL6/EaqZvjI5rq+jOrCiy39GAI3Z8c zd0tAWaAr7MvKR0juIrhoXAHDDQPAgMBAAGjggFdMIIBWTAvBggrBgEFBQcBAQQj MCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wEgYDVR0TAQH/BAgw BgEB/wIBADBlBgNVHSAEXjBcMFoGBFUdIAAwUjAmBggrBgEFBQcCARYaaHR0cDov L3d3dy5zeW1hdXRoLmNvbS9jcHMwKAYIKwYBBQUHAgIwHBoaaHR0cDovL3d3dy5z eW1hdXRoLmNvbS9ycGEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3MxLnN5bWNi LmNvbS9wY2EzLWc1LmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVN5bWFudGVjUEtJLTEtNTMzMB0GA1UdDgQWBBQBWavn3ToLWaZk Y9bPIAdX1ZHnajAfBgNVHSMEGDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzANBgkq hkiG9w0BAQsFAAOCAQEAQgFVe9AWGl1Y6LubqE3X89frE5SG1n8hC0e8V5uSXU8F nzikEHzPg74GQ0aNCLxq1xCm+quvL2GoY/Jl339MiBKIT7Np2f8nwAqXkY9W+4nE qLuSLRtzsMarNvSWbCAI7woeZiRFT2cAQMgHVHQzO6atuyOfZu2iRHA0+w7qAf3P eHTfp61Vt19N9tY/4IbOJMdCqRMURDVLtt/JYKwMf9mTIUvunORJApjTYHtcvNUw LwfORELEC5n+5p/8sHiGUW3RLJ3GlvuFgrsEL/digO9i2n/2DqyQuFa9eT/ygG6j 2bkPXToHHZGThkspTOHcteHgM52zyzaRS/6htO7w+Q== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y 5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ 4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq -----END CERTIFICATE-----
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
