|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 *NIX means UNIX. Solaris is AT&T UNIX. Linux is not UNIX (C) Linus Torvalds. :) We are not speaking about all possible OS'es. I suggests the matter in SSL/TLS, not OS or hands or something similar. The problem is in CF, I think. As a maximum in peek-n-splice. Because of I've not changed my squid.conf over last year, but approx. in january 2016 CloudFlare stopped work via proxy, as said my field SA. AFAIK, CF change own security settings. Also, I suggests, mozilla .org also moved behind CF. Ok, let's talk about squid.conf. SSL-related rows are here: # SSL bump rules acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump" acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/squid/etc/url.tor" ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept ssl_bump bump all http_port 3126 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt options=SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS sslproxy_foreign_intermediate_certs /usr/local/squid/etc/intermediate_ca.pem sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB I see no anomalies in this lines. Ciphersuite is very relaxed. Also, if we discuss a bug - may be better to turn on debug to know, why 4.x got first NONE_ABORTED/200 during CONNECT phase and then NONE/503 during TLS negotiate? 17.04.16 14:58, Eliezer Croitoru пишет: > For me it works. > ... > The first thing to do is publish the squid.conf with a bug report and all other related info. > *NIX doesn't mean CentOS since on CentOS this specific issue doesn't exit. > I assume that if it works on CentOS it will work almost the same for Ubuntu and Debian. > > Eliezer > > On 16/04/2016 19:50, Yuri Voinov wrote: >> 3.5.16 on *NIX is also has this issue. >> >> Only 3.5.16 Win64 is works like sharm. > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXE2qQAAoJENNXIZxhPexGD0wH/1SkyQyaa4gHV4AhXf5RrUTM oEyGkOcEPwYw6M4+uYgvZ1FzvjrQhS6G8RTH/XrpSZ1utt9nbNSHP+W6FnXyxNPN J/bauCQeADWf/NUGLG8GnOMXA9LD7w20ylAwOeLe1MUQJ4DTDT4arwzExkx0kohk 4mQNqq1Q105lgh0xyUQWF/wt0Uy3hSs2pPjyK4CGPWCbRO2kmYpPANT0ejoglfsF uWNYBN5gl4hCd9kVzo0oaVwY2sNUftc1MyYztBpYUQ9WSoHoTnlvAWcWEF7FqHV6 TIB77Pr2fURIkEIlyLIQJ7weXkueOLI8VJp3EYLX5arDDLwu4tfXKpItHx5Tjd8= =eQPH -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
