I have tried to enable safe searching with Squid 3.5.7 using ssl-bump splice but when I enable it, browsing to https://google.com generates a Squid error page saying there is no valid certificate. Browsing to all other https sites loads the pages correctly and all other SSL-bump sites get bumped and displayed correctly.
Has anyone had any luck getting this to work? Here is the relevant squid.conf entriesacl s1_tls_connect at_step SslBump1
acl s2_tls_client_hello at_step SslBump2
acl s3_tls_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl google ssl::server_name .google.com
ssl_bump peek s1_tls_connect all
acl nobumpSites ssl::server_name .wellsfargo.com
ssl_bump splice s2_tls_client_hello nobumpSites
ssl_bump splice s2_tls_client_hello google
ssl_bump stare s2_tls_client_hello all
ssl_bump bump s3_tls_server_hello all
cache_peer forcesafesearch.google.com parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest
acl search dstdomain .google.com
cache_peer_access GS allow search
cache_peer_access GS deny all
sslproxy_cert_error allow tls_server_name_is_ip
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
acl s2_tls_client_hello at_step SslBump2
acl s3_tls_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl google ssl::server_name .google.com
ssl_bump peek s1_tls_connect all
acl nobumpSites ssl::server_name .wellsfargo.com
ssl_bump splice s2_tls_client_hello nobumpSites
ssl_bump splice s2_tls_client_hello google
ssl_bump stare s2_tls_client_hello all
ssl_bump bump s3_tls_server_hello all
cache_peer forcesafesearch.google.com parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest
acl search dstdomain .google.com
cache_peer_access GS allow search
cache_peer_access GS deny all
sslproxy_cert_error allow tls_server_name_is_ip
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
