-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Transparent interception in 3.5 still not completely supports SNI. Only in 3.4.x branch. And yes - you do it wrong in your config: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit 05.03.15 17:53, Sergey Pronin пишет: > Hello guys, > > I have a question about bumping and SNI. Is it supported now in > squid 3.5? > > What do I have: Debian Linux squid 3.5.2 > > Config for SSL transparent interception is the following: > > https_port 10.10.115.7:3129 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid3/squidCA always_direct allow all > sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER > ssl_bump none localhost ssl_bump peek all ssl_bump bump all > > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB > sslcrtd_children 5 > > With this configuration access log looks like this for HTTPS > traffic: > > 192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT > 177.71.251.241:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE > 192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT > 223.25.233.66:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE > 192.168.78.31 - - [05/Mar/2015:13:44:50 +0200] "CONNECT > 103.16.26.232:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE > 192.168.78.6 - - [05/Mar/2015:13:44:54 +0200] "CONNECT > 65.55.163.221:443 HTTP/1.1" 200 895 "-" "-" > TCP_TUNNEL:ORIGINAL_DST > > Certificates are generated for IP's as well, not CNs. Clients are > redirected via IPtables. > > I have tried to modify ssl_bump options: > > 1) ssl_bump stare all 2) ssl_bump peek all 3) ssl_bump bump all > > etc., but still only IPs are shown. > > Could you please tell, where it is I'm mistaken? > > -- Regards _______________________________________________ > squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU+FfDAAoJENNXIZxhPexGLmMH/3MjjYeePFyclBUoiGUtDzni H2FIyG094emo3q+kLFEHPdBgd923WdCpieG68E+8JThEuXtaYM7p4yp58kFfS4d1 1DZ4sWOwIesWWDq24fUpix8sBnQEmLQ8bMfLuwB5dyqmxQUaIhJuFkb3AmbTDR3y kxZj71RPsajuKjDhLFWOoK6PNNwf0jITlXYck/TQDYZR0icsihlIHKNN+XqhaLBR oASarWj9WorXT3LrEBzD+Q9EKtAI4FgPFh1L++oKT1K6Cnbst9KkRlDLDVvqE7Jl Pa8VJvFTvkHN1Lm1Uhz1308h0AWIV9VCAXwYABywMVeKO0wkwp9vibNNcxjyhvU= =zWC0 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
