On 29/09/2015 5:20 p.m., Yuri Voinov wrote: > Don't think so we can detect pinned apps automatically. You need find it > manually this time AFAIK. Correct. There is no way for Squid to know that some app running on a separate client device, installed a random time earlier via another network contains crypto keys. Or what they are used for when not transmitted over the network. > > 29.09.15 2:29, HackXBack пишет: >> Yuri, Dear friend. >> use splice HAA ? ok and how you cant detect automatically to make squid >> splice the pinned app automatically ? >> other wise , it is a real problem if cant detected automatically , >> and in >> my opinion it is a bug . Completely unknown state in the remote client-end environment is not a bug in the server software. It is not even a bug in the client software, since this exact outcome is the designed purpose of cert pinning. Do not forget that ssl-bump is an MITM injecting itself forcibly into the private conversation between the client and server. ** When TLS is used properly HTTPS cannot be ssl-bumped. ** Cert pinning is not quite "properly" IMHO. But its close enough to ideal to prevent bump working. The only way to know about cert pinning is to inspect investigate the client app. That means manually at present. NP: I have no idea or opinion about whether the site in question is doing pinning or not. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
