Amos Jeffries wrote on 2015-06-09 17:10: [CUT] > You have to first configure ssl_bump in a way that lets Squid receive > the clientHello message (step1 -> peek) AND the serverHello message > (step2 -> peek). Then you can use those cert details to bump (step3 -> > bump). > The config is quite simple: > ssl_bump peek all > ssl_bump bump all > I have this: ssl_bump peek step1 broken ssl_bump peek step2 broken ssl_bump splice broken ssl_bump peek step1 all ssl_bump peek step2 all ssl_bump bump all > > But there are cases like the client is resuming a previous TLS session > where there is no certificates involved. Squid cannot do anything, so it > automatically splices (3.5.4+ at least do). Or if you have configured > your Squid in a way that there are no mutually supported ciphers. > My client is curl.. I don't think that its caching any TLS sessions. > > It may just be your ssl_bump rules. But given that this is a google > domain there is a strong chance that you are encountering one of those > special case. > I'd like squid to disallow queries where it cannot see what domain name / url is going to be accessed. I'd like all GET/POST etc. requests to go through squid - so they are controlled by the normal http_access rules as http (intercepted) is currently. This worked with 3.4.12 :( (but only for 30 minutes or less) You saw my full config.. how is it supposed to look with 3.5.5, for this to work as it did with 3.4.12 ? sorry I'm a bit frustrated.. I can't seem to grasp what changed from 3.4.12 to 3.5.5, which means I suddenly can't filter https traffic anymore :( -- Regards, Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
