Bug created: http://bugs.squid-cache.org/show_bug.cgi?id=4394 On Thu, Dec 10, 2015 at 9:10 PM, Tom Tom <tomtux007@xxxxxxxxx> wrote: > Hi Alex > > I've tested again. Squid (3.5.11) only terminates the connection > (based on SHA1-Fingerprint), *if* the fingerprint is delimited with > colons. If not, squid GET's the https-request as usual. I'll report a > bug. > > With SHA1-FP (delimited): > 41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32 in the > config-file, Squid terminates the connection as expected: > $ curl -x proxy:3128 -I -k -L https://www.yahoo.com > HTTP/1.1 200 Connection established > curl: (35) Unknown SSL protocol error in connection to www.yahoo.com:443 > > > With SHA1-FP (not delimited): 413072F803CE961210E9A45D10DA14B0D2D48532 > in the config-file, squid GET's the site: > $ curl -x proxy:3128 -I -k -L https://www.yahoo.com > HTTP/1.1 200 Connection established > > HTTP/1.1 200 OK > Date: Thu, 10 Dec 2015 20:06:11 GMT > P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR > CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi > UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE > LOC GOV" > X-Frame-Options: DENY > Strict-Transport-Security: max-age=2592000 > ... > .... > > Kind regards, > Tom > > On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov > <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >> On 12/07/2015 02:05 PM, Tom Tom wrote: >>> The configuration provided by Alex works for me (squid 3.5.11) >> >> Thank you for testing and helping expose problems. >> >> >>> if: >>> * the http_port-directive is configured with ssl-bump and a >>> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem) >> >> ssl-bump is required to access SSL/TLS peeking code. Now way around that >> today although future Squid versions may provide something like an >> ssl-peek port option that tells Squid that no bumping, for any reason >> (including error serving) is permitted on that port. >> >> Specifying root CA is required to serve certificate validation (and >> other) errors, but we probably should be more flexible and allow no-CA >> splice-or-terminate configurations as well. >> >> Related enhancement requests in bugzilla are welcomed, especially if >> they are followed by quality patches. >> >> >>> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after >>> two characters with a colon >>> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for >>> ar***krebs.de) >> >> If Squid silently misinterprets colon-less fingerprints, it is a bug >> that should be reported and fixed. Squid should either interpret them >> correctly or exit with a configuration error. >> >> >> Thank you, >> >> Alex. >> >> >> >>> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov >>> <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >>>> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote: >>>>> * Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>: >>>>>> Please note that if you do not want to bump anything, then the following >>>>>> should also work (bugs notwithstanding): >>>>>> >>>>>> ssl_bump splice whitelist >>>>>> ssl_bump peek all >>>>>> ssl_bump terminate blacklist >>>>>> ssl_bump splice all >>>>> >>>>> That doesn't seem to work for me (squid 3.5.2) >>>> >>>>> Yet I still can connect. What am I doing wrong? >>>> >>>> If you are indeed using v3.5.2, then that is a big red flag. >>>> >>>> If you are using the latest v3.5 release, then you should open a bug >>>> report, preferably with an ALL,9 log depicting a single failing >>>> transaction. AFAICT, the above is meant to work. If it does not, there >>>> is either a Squid bug or misconfiguration [that I cannot detect by >>>> reading email]. >>>> >>>> >>>> Thank you, >>>> >>>> Alex. >>>> >>>> _______________________________________________ >>>> squid-users mailing list >>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> http://lists.squid-cache.org/listinfo/squid-users >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
