Search squid archive

Re: SSL Bump - Splice - Chrome error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Its called certificate pinning: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Nir.

On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez <ajm.martinez@xxxxxxxxx> wrote:
Hi all,

I'm using squid 3.5.12.

This is my relevant config:

http_port 881
http_port 880 intercept
https_port 843 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem key=/usr/local/squid/etc/cert.pem options=NO_SSLv3:NO_SSLv2 cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/etc/ssl/certs -M 4MB sslcrtd_children 8 startup=1 idle=1

#### Denied Users
acl equipos_denegados src "/usr/local/squid/etc/equipos_denegados"
http_access deny equipos_denegados
deny_info DENY equipos_denegados

#### Allowed users
acl equipos_permitidos src "/usr/local/squid/etc/equipos_permitidos"
http_access allow equipos_permitidos
####

#### Denied Sites
acl sitios_denegados dstdomain "/usr/local/squid/etc/sitiosdenegados"
http_access deny sitios_denegados
####

#### Block HTTPS
acl blockhttps ssl::server_name  "/usr/local/squid/etc/sitiosdenegados"
ssl_bump terminate blockhttps
ssl_bump splice equipos_permitidos
ssl_bump peek all
ssl_bump splice all
####

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_options NO_SSLv3:NO_SSLv2


Basically I'm using squid to allow everything and deniy some users (hosts) and some sites (http and https).

If I use IE or Firefox (Win/Lin), everything works great, if I access a site via HTTP the user see a message and if he access via HTTPS the conecction is terminated and there is an error on the browser.

But, If I access any google site using chrome (windows / linux) the sites are getting bumped (google.com, google.com.X youtube.com, etc)

The browser complains with a "Your conecction is not private" and the certificate is my own certificate.

I'm missing something ?

I only what to splice everythng.

Thanks


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux