Hi. Today I discovered that a bunch of old legacy ICQ clients that some people till use have lost the ability to use HTTP CONNECT tunneling with sslBump. No matter what I tried to allow direct splicing for them, all was useless: - arranging them by dst ACL, and splicing that ACL - arranging them by ssl::server_name ACL, and splicing it So I had to turn of sslBumping. Looks like it somehow interferes with HTTP CONNECT even when splicing it. Last version of sslBump part in the config was looking like that: acl icqssl ssl::server_name login.icq.com acl icqssl ssl::server_name go.icq.com acl icqssl ssl::server_name ars.oscar.aol.com acl icqssl ssl::server_name webim.qip.ru acl icqssl ssl::server_name cb.icq.com acl icqssl ssl::server_name wlogin.icq.com acl icqssl ssl::server_name storage.qip.ru acl icqssl ssl::server_name new.qip.ru acl icqlogin dst 178.237.20.58 acl icqlogin dst 178.237.19.84 acl icqlogin dst 94.100.186.23 ssl_bump splice children ssl_bump splice sbol ssl_bump splice icqlogin ssl_bump splice icqssl icqport ssl_bump splice icqproxy icqport ssl_bump bump interceptedssl ssl_bump peek step1 ssl_bump bump unauthorized ssl_bump bump entertainmentssl ssl_bump splice all I'm not sure that ICQ clients use TLS, but in my previous experience they were configured to use proxy, and to connect through proxy to the login.icq.com host on port 443. Sample log for unsuccessful attempts: 1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT login.icq.com:443 solodnikova_k HIER_NONE/- - 1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT login.icq.com:443 solodnikova_k HIER_NONE/- - 1447400624.832 359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 - 1447400631.038 108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 - Thanks. Eugene. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
