Re: Fwd: Squid https bump and google apps

Yuri Voinov <yvoinov@xxxxxxxxx> · Sat, 16 Jan 2016 00:23:48 +0600



    -----BEGIN PGP SIGNED MESSAGE----- 

    Hash: SHA256 

     
    15.01.16 23:55, lucas castro пишет:

    > Amos, Sorry for emailing right
      to you.

      > ---------- Forwarded message ----------

      > From: lucas castro <lucascastroborges@xxxxxxxxx>

      > Date: Fri, Jan 15, 2016 at 2:54 PM

      > Subject: Re:  Squid https bump and google apps

      > To: Amos Jeffries <squid3@xxxxxxxxxxxxx>

      >

      >

      > Amos, I'm already using squid-3.5.13 with sni,

      > the problem is, google use the same certificate for
      youtube.com, google.com

      > and some others.

      > Or Am I doing something wrong?

    Yes. SSL Bump is _not_ main ACL tool. So, use SNI as geberal ACL is
    bad idea.

    
    Right way is:

    
    - - Using bump to make FQDN visible and, next

    - - Using general ACL to access control _or_

    - - Using redirector to filter out URL's.

    >

      >

      > On Fri, Jan 15, 2016 at 2:33 PM, Amos Jeffries
      <squid3@xxxxxxxxxxxxx> wrote:

      >

      >> On 16/01/2016 3:35 a.m., Lucas Castro wrote:

      >>> I've hard worked against google applications,

      >>> The points is, google use the same certificate for a
      bunch of different

      >>> apps,

      >>> like google.com, youtube.com, drive.google.com.

      >>> I'd like to know if someone already got terminated
      youtube.com and

      >>> keep working google.com and others services.

      >>

      >> It is possible. Using the Squid-3.5 peek-and-splice
      feature with SNI

      >> detection.

      >>

      >> Amos

      >>

      >> _______________________________________________

      >> squid-users mailing list

      >> squid-users@xxxxxxxxxxxxxxxxxxxxx

      >> http://lists.squid-cache.org/listinfo/squid-users

      >>

      >

      >

      >

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

    
    -----BEGIN PGP SIGNATURE-----


    Version: GnuPG v2


    iQEcBAEBCAAGBQJWmTk0AAoJENNXIZxhPexGsXMH/34A845b1aP2K5MMt1gKBvHw


    flOC1IK5jyAm8GhhCxrNwEqmYpkMhYISav/wJzwCnlXwoadNC0zD+AXvDRFF7Stb


    P8EMgYG//ZWOaSVfRgv4r9Bdf8UY3ujuk35jHaIIgBrDyJKHnyLOKOaRtNC7IaOB


    fdnk9dpHLae5V7OqwHSOZ8FapfYRXtbQzgG7t2EOR/0MuZg1EigOm0r5MnpKg6UG


    8sEKaRAaJ5UE+9sA7KOvXBv/4KhfJNr2pJthqnLrRnM6Ye1VexyZzLU02ijRDsKC


    4lkX24kHWGgj5g350vWaiN/uzChzqxxwZActwbdPi33n/vkT12TffSUPeZn2jnY=


    =zavO


    -----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users