-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 02.02.2015 1:26, Walter H. пишет: > On 01.02.2015 19:50, Yuri Voinov wrote: >> 02.02.2015 0:46, Amos Jeffries пишет: >>> On 2/02/2015 7:16 a.m., Yuri Voinov wrote: >>>> 01.02.2015 23:48, Walter H. пишет: >>>>> Hello, >>> <snip> >>>>> acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at >>>> banking.ing-diba.at ebanking.easybank.at services.kepler.at >>>> www.kepler.at www.rcb.at >>>>> acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com >>>>> ssl_bump none ssl_bump_domains_bankingsites >>>>> ssl_bump none ssl_bump_domains_msftupdates >>>>> ssl_bump server-first all >>>> You do it wrong. You don't know site names BEFORE bump. >>> No. His http_port settings are those which match a proxy being >>> configured explicitly in the brower, which means CONNECT messages with >>> domain name expected to be present. >> Oh, of course. I compare it with my interception configuration. :) >> But ip-based dst acl for bankings will works in any case. Just >> pass-through banking IP without bump - and, viola! - they works. >> Yes? >> > I have a few more lines before ssl-bump server-first all in my squid.conf > > acl ssl_bump_domains_none_list dstdomain "/etc/squid/sslbumpnonedomains-list-acl.squid" > acl ssl_bump_domains_none_regex dstdom_regex -i "/etc/squid/sslbumpnonedomains-regex-acl.squid" > acl ssl_bump_domains_clntfrst_list dstdomain "/etc/squid/sslbumpclntfrstdomains-list-acl.squid" > acl ssl_bump_domains_clntfrst_regex dstdom_regex -i "/etc/squid/sslbumpclntfrstdomains-regex-acl.squid" > ssl_bump none ssl_bump_domains_none_list > ssl_bump none ssl_bump_domains_none_regex > ssl_bump client-first ssl_bump_domains_clntfrst_list > ssl_bump client-first ssl_bump_domains_clntfrst_regex > > and any host in one of these files is either not bumped or bumped with client-first - google's domains are the FF problem, this is the workaround Google domains not problem. For me. I have all root and intermediate CA's and specify it to Squid when bumping. So, in my installation Google domains bumps as usual. > >>> >>> It might not be, which could be the problem. But that can only known by >>> looking at the CONNECT request message itself. >>> >>> Amos > attached is the certificate chain the is shown in Google Chrome of this banking site, that makes problems ... > by the way, without squid it is the same ..., why? > what goes wrong? > > the reason why not bumping banking sites is the following: > I have a VM that is used only for electronic banking, and there I didn't install my CAs root and the SSL-bump CA certificate; > so any SSL site that has nothing to do with banking will not work, and that should it be; Just dig it IP's and pass by IP with dst acl. This will works. > > Greetings, > Walter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUzn7hAAoJENNXIZxhPexGqaAIAIyeBG8FbdihhsnLnOR6O7Rn L+beP87cKKunKk+pE4CwusNFDuyk62k0wW3dnpj0pbJ2xe12hizJArcDQ+yFMfsD oMUM9/wJBdwbwCnrXoVqVTuHXonxlsyU9F3Kv/t7mONquF8Qt0oRPhi6PdHj0EDo zO4OWb0Jm7R0CN1PhAKYe8Ng6RyG94ojM2w5WNuS05yY2xF/UHSbx2NRfD58bOO8 VwB/DBKpGXO11j+2JitPOFLLPFndIJTCFMjk+e/R5XkujA2ngEXBJ24lL6eQbU9K +jFzrlVkcWryIPmtENVhZqdU/X2zkIsn6VhzunMmrN75oGJYH3cthw3e1k3WoKs= =e+ao -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
