Search squid archive

Re: ssl_crtd breaks after short time

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amos Jeffries wrote on 2015-06-09 17:10:
[CUT]
> You have to first configure ssl_bump in a way that lets Squid receive
> the clientHello message (step1 -> peek) AND the serverHello message
> (step2 -> peek). Then you can use those cert details to bump (step3 ->
> bump).
> The config is quite simple:
>   ssl_bump peek all
>   ssl_bump bump all
> 
I have this:
ssl_bump peek step1 broken
ssl_bump peek step2 broken
ssl_bump splice broken
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump bump all

> 
> But there are cases like the client is resuming a previous TLS session
> where there is no certificates involved. Squid cannot do anything, so it
> automatically splices (3.5.4+ at least do). Or if you have configured
> your Squid in a way that there are no mutually supported ciphers.
> 

My client is curl.. I don't think that its caching any TLS sessions.

> 
> It may just be your ssl_bump rules. But given that this is a google
> domain there is a strong chance that you are encountering one of those
> special case.
>
I'd like squid to disallow queries where it cannot see what domain name
/ url is going to be accessed.

I'd like all GET/POST etc. requests to go through squid - so they are
controlled by the normal http_access rules as http (intercepted) is
currently.

This worked with 3.4.12 :( (but only for 30 minutes or less)

You saw my full config.. how is it supposed to look with 3.5.5, for this
to work as it did with 3.4.12 ?

sorry I'm a bit frustrated.. I can't seem to grasp what changed from
3.4.12 to 3.5.5, which means I suddenly can't filter https traffic
anymore :(

-- 
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux