On 8/11/2015 12:20 a.m., Michael Ludvig wrote: > Hi again > > Does anyone have any idea how to fix the below described problem? Please :) > You are taking secured traffic. Removing the decryption. Then ... >> i.e. auto-generates a fake SSL cert and makes a >> direct connection to the target. Except when the target is a peer receiving plain-text TCP connections (not TLS encrypted connections) ... >> >> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 >> - HIER_NONE/- - >> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET >> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html >> ... splat. Clear enough? If not the assertion below should make it clearer. >> Alternatively if I change the ssl_bumpsetup to this: >> >> acl step1 at_step SslBump1 >> ssl_bump peek step1 >> ssl_bump bump all >> >> I get a crash message in cache.log: >> >> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: >> "peer->use_ssl" Attempting to connect and send encryption to a non-encryted peer. Using a current version of Squid should fix that assertion and just not let the peer be used. Your Squid is a whole 2 months old. In the arms race that is SSL-Bump a few months is a long time. Squid still will not generate new CONNECT to non-encrypted peers though. So you will need to TLS enable the cache_peer link. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
