On 12/07/2015 02:05 PM, Tom Tom wrote: > The configuration provided by Alex works for me (squid 3.5.11) Thank you for testing and helping expose problems. > if: > * the http_port-directive is configured with ssl-bump and a > certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem) ssl-bump is required to access SSL/TLS peeking code. Now way around that today although future Squid versions may provide something like an ssl-peek port option that tells Squid that no bumping, for any reason (including error serving) is permitted on that port. Specifying root CA is required to serve certificate validation (and other) errors, but we probably should be more flexible and allow no-CA splice-or-terminate configurations as well. Related enhancement requests in bugzilla are welcomed, especially if they are followed by quality patches. > * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after > two characters with a colon > (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for > ar***krebs.de) If Squid silently misinterprets colon-less fingerprints, it is a bug that should be reported and fixed. Squid should either interpret them correctly or exit with a configuration error. Thank you, Alex. > On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov > <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote: >>> * Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>: >>>> Please note that if you do not want to bump anything, then the following >>>> should also work (bugs notwithstanding): >>>> >>>> ssl_bump splice whitelist >>>> ssl_bump peek all >>>> ssl_bump terminate blacklist >>>> ssl_bump splice all >>> >>> That doesn't seem to work for me (squid 3.5.2) >> >>> Yet I still can connect. What am I doing wrong? >> >> If you are indeed using v3.5.2, then that is a big red flag. >> >> If you are using the latest v3.5 release, then you should open a bug >> report, preferably with an ALL,9 log depicting a single failing >> transaction. AFAICT, the above is meant to work. If it does not, there >> is either a Squid bug or misconfiguration [that I cannot detect by >> reading email]. >> >> >> Thank you, >> >> Alex. >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
