Re: ssl_bump problem with tw.bid.yahoo.com in transparent proxy

Vadim Rogoziansky <vrogoziansky.squid@xxxxxxxxx> · Wed, 01 Apr 2015 17:10:39 +0300



    Hello Yuri,

      
      I have the same problem with transparent proxy (can't bypass bad
      web sites) and as I know squid guys did not fix SNI issue yet. 
      Forward proxy works smoothly.

      Tell me something if I was wrong)

      
      My configuration is following:

      
        acl step1 at_step SslBump1

      ssl_bump stare step1 all

      acl sslBumpDeniedDstDomain dstdomain .google.com

      ssl_bump splice sslBumpDeniedDstDomain

      ssl_bump bump all

      
      And sqiud version is

      Squid Cache: Version 3.5.3

      Service Name: squid

      configure options:  '--with-openssl'
        '--enable-linux-netfilter' '--disable-ipv6'
        '--enable-icap-client' '--enable-ssl-crtd' '--prefix=/opt/squid'
        '--enable-external-acl-helpers=none'
        '--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for'
        '--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2'
        '--enable-snmp'
        'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
        --enable-ltdl-convenience

      
      Regards

      
      On 4/1/2015 12:34 PM, Yuri Voinov wrote:

    
      -----BEGIN PGP SIGNED MESSAGE----- 

      Hash: SHA256 

       
      What version of Squid you are using?

      
      01.04.15 13:06, Yu-Hsuan Liao пишет:

      > Hello Everyone,

        >

        > I got  'ssl_error_bad_cert_domain' message from browser
        when I was trying

        > to bump tw.bid.yahoo.com in transparent mode

        >

        > I found that the certificate is signed to
        tw.otplogin.reg.yahoo.com, which

        > should be signed to tw.bid.yahoo.com

        >

        > but for now I can't bypass using the following configure:

        >

        > acl yahoo_url tw.otplogin.reg.yahoo.com tw.bid.yahoo.com

        > ssl_bump none yahoo_url

        >

        > yet everything is OK when I use forward proxy, the
        certificate is correct

        > signed to tw.bid.yahoo.com

        >

        > any ideas?

        >

        >

        >

        > _______________________________________________

        > squid-users mailing list

        > squid-users@xxxxxxxxxxxxxxxxxxxxx

        > http://lists.squid-cache.org/listinfo/squid-users

      
      -----BEGIN PGP SIGNATURE-----
      

      Version: GnuPG v2
      

      iQEcBAEBCAAGBQJVG7u1AAoJENNXIZxhPexGiZwH/19TdE+jGhb29JPXqvf1cVqv
      

      HAjmuq7nj9dQt/SmW2CM+rPeS6pgHuJIH2/rVsxU/ydbDhuomNBmOuZyhguaUBM0
      

      xke1UBjHFbPsTHczfmlaW3/q+V1wg1BJ0Le8lNnJ4dZMxH5rK/O6L0zb6HwS7SMJ
      

      Nn15VpqGWY6cESWMvV3ZYrdQ2dgiQRO9CEQkpXSAy5xV4C+5B4L10FfsN1JeMPZF
      

      NZ/trRZFpZha2cQk65zYE4oBuiT137I4EKv+ldLu3uWhkGS8oqKSiPxjSmckzjhw
      

      jFUONqSKGOxbT4HSBQSjZgmEvPLg/HKlVR99eH+Vyc/kOfGh7rt63bQ6AUYM3Jc=
      

      =+MVl
      

      -----END PGP SIGNATURE-----
      

      _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users