-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 acl BrokenButTrustedServers2 dstdomain "/usr/local/squid/etc/dstdom2.broken" acl UnableGetIssuer ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE sslproxy_cert_error allow BrokenButTrustedServers2 UnableGetIssuer sslproxy_cert_error deny all Something like this. 04.04.16 23:11, Sébastien Damaye пишет: > Hi community, > > I have setup Squid as transparent proxy (iptable is taking care of > redirecting 80/tcp and 443/tcp traffic to Squid) with peek and splice on > a Debian Jessie server to perform SSL inspection. Below is the > interesting part of my squid.conf file: > > http_port 3130 > http_port 3128 intercept > https_port 3129 intercept ssl-bump \ > cert=/etc/squid/ssl_cert/myCA.pem \ > generate-host-certificates=on \ > dynamic_cert_mem_cache_size=4MB \ > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE \ > dhparams=/etc/squid/ssl_cert/dhparam.pem > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > acl nobumpSites ssl::server_name "/etc/squid/domain.nobump" > > ssl_bump peek step1 all > ssl_bump peek step2 nobumpSites > ssl_bump splice step3 nobumpSites > ssl_bump bump > > sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > > The SSL inspection works fine for the majority of the websites (I > populate domain.nobump with some domains from time to time) but I had a > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error that I'm not able to > fix while visiting https://blog.kaspersky.com. I have added > ".blog.kaspersky.com" in my domain.nobump file but I still can't visit > the website. > > Could you please help? Many thanks in advance for your inputs. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXAqd6AAoJENNXIZxhPexGxoMH+wVN/kjAe85+oWbn47j2dyL6 biJKM+CepVzrubilhC4uL6zjTYIsZjD1JXv3VuoY6l+vFbg2Drip76yo9qO49fjh 83afktO+o1YsfxLhbQZjByknCbuDqd5a2Udzo8dhEHTYNV0vieq2tE7QgJvHOxvP wFC8neOwglKzDq7yD4h30nidVhP6f8gCKwv9MzlXpT+kkHAEM0rn5OnXRDc6UQxm 3mNOJJwo9y5E5gqjJAt7PulNJvqJ+crDoW+T6IgTkxQFD8+tBXy+qyqk7hrTOIF0 DQgiLFL+X5C4YKVtpmBIaxko6pxmmXZAO0LUtLjuj/qNHoc63ZZZIQYgIFvbUgw= =b8wV -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
