Re: SSL Bump - Splice - Chrome error

Alejandro Martinez <ajm.martinez@xxxxxxxxx> · Sun, 3 Jan 2016 22:16:10 -0200

Thanks again Yuri.
I have tried blocking udp protocol on port 80 and 443 but without luck.

Is it possible to make google sites work in transparent mode without bumping ? only splicing ?

Thanks

2016-01-03 10:11 GMT-03:00 Alejandro Martinez <ajm.martinez@xxxxxxxxx>:
Sorry my corrector. 

I want to say that i am going to check blocking quic proto. 
Sorry 

El 03/01/2016 10:10, "Alejandro Martinez" <ajm.martinez@xxxxxxxxx> escribió:
Yuri
Thanks.
I amor.gringaus to checkpoint blocking quic. 
I cant put ca cert into clients besarse I dont have access but I do not want to bump,  Just allow almost everything and deny only a few sites. 
I Will tell you my result. 

El 03/01/2016 06:22, "Yuri Voinov" <yvoinov@xxxxxxxxx> escribió:

    Sure,

    my config is quite different.

    Also - did you put cache CA cert into clients? And - did you block
    QUIC in your infrastructure? As described here:

    http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

    ?

    03.01.16 8:28, Alejandro Martinez
      пишет:

      Yuri 
      Do you haber something diferent  in your config? 
      Thanks 

      El 02/01/2016 17:18, "Yuri Voinov" <yvoinov@xxxxxxxxx>
        escribió:

            -----BEGIN PGP SIGNED MESSAGE----- 

            Hash: SHA256 

            Don't think so.

            Google's HTTPS's works for me without any alerts in Chrome
            :) With bump! ;)

            03.01.16 2:12, Nir Krakowski пишет:

            > Its called certificate pinning:

      > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

      >

      > Nir.

      >

      > On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez
      <ajm.martinez@xxxxxxxxx>

      > wrote:

      >

      >> Hi all,

      >>

      >> I'm using squid 3.5.12.

      >>

      >> This is my relevant config:

      >>

      >> *http_port 881*

      >> *http_port 880 intercept*

      >> *https_port 843 intercept ssl-bump
      generate-host-certificates=on

      >> dynamic_cert_mem_cache_size=4MB
      cert=/usr/local/squid/etc/cert.pem key=*

      >> */usr/local/squid/etc**/cert.pem
      options=NO_SSLv3:NO_SSLv2

      >>
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*

      >> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s *

      >> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children
      8 startup=1

      >> idle=1*

      >>

      >> *#### Denied Users*

      >> *acl equipos_denegados src
      "**/usr/local/squid/etc**/equipos_denegados"*

      >> *http_access deny equipos_denegados*

      >> *deny_info DENY equipos_denegados*

      >>

      >> *#### Allowed users*

      >> *acl equipos_permitidos src
      "/**usr/local/squid/etc**/equipos_permitidos"*

      >> *http_access allow equipos_permitidos*

      >> *####*

      >>

      >> *#### Denied Sites*

      >> *acl sitios_denegados dstdomain "**/usr/local/squid/etc*

      >> */sitiosdenegados"*

      >> *http_access deny sitios_denegados*

      >> *####*

      >>

      >> *#### Block HTTPS*

      >> *acl blockhttps ssl::server_name 
      "/**usr/local/squid/etc*

      >> */sitiosdenegados"*

      >> *ssl_bump terminate blockhttps*

      >> *ssl_bump splice equipos_permitidos*

      >> *ssl_bump peek all*

      >> *ssl_bump splice all*

      >> *####*

      >>

      >> *sslproxy_cert_error allow all*

      >> *sslproxy_flags DONT_VERIFY_PEER*

      >> *sslproxy_options NO_SSLv3:NO_SSLv2*

      >>

      >>

      >> Basically I'm using squid to allow everything and deniy
      some users (hosts)

      >> and some sites (http and https).

      >>

      >> If I use IE or Firefox (Win/Lin), everything works great,
      if I access a

      >> site via HTTP the user see a message and if he access via
      HTTPS the

      >> conecction is terminated and there is an error on the
      browser.

      >>

      >> But, If I access any google site using chrome (windows /
      linux) the sites

      >> are getting bumped (google.com, google.com.X youtube.com,
      etc)

      >>

      >> The browser complains with a "Your conecction is not
      private" and the

      >> certificate is my own certificate.

      >>

      >> I'm missing something ?

      >>

      >> I only what to splice everythng.

      >>

      >> Thanks

      >>

      >>

      >> _______________________________________________

      >> squid-users mailing list

      >> squid-users@xxxxxxxxxxxxxxxxxxxxx

      >> http://lists.squid-cache.org/listinfo/squid-users

      >>

      >>

      >

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

            -----BEGIN PGP SIGNATURE-----

            Version: GnuPG v2

iQEcBAEBCAAGBQJWiDCiAAoJENNXIZxhPexGoQgH/3tVYeLA0ymswptTFgXCafjD

4dVdYyeqUklxAD1Z9kdTAwebKr8gCum+pSJJti474hjNpgQQlHsTc/syxMxMJGsF

Z2V0e1GCFjhDf+PBoBRIO0tJw5fhSR7RUhWT5HeZ5OuP412XtjyLH1eRJqKShh+x

VBL+7btpC5CwhDyHtM35UXCwM43tkuXo3uF8FibZn3AgxKM7EZJ0NndwK5od0kW1

PaTmUqeODXJZdXjceVF4dYeTt6GfSvzfrtXiPMIogk0w0Z2bJi5Sj/w7tr1x7VPH

ls8kccXKVCKp0kigoEMLD86DzznKd1c4r+rZguEGycQQfN8MIpzc8wQZEm61nx0=

            =aiMO

            -----END PGP SIGNATURE-----

          _______________________________________________

          squid-users mailing list

          squid-users@xxxxxxxxxxxxxxxxxxxxx

          http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users