Ok that makes more sense now. Thanks to everyone for the tips. I'm going to work on this over the next few days and see where I end up. Bruce Markey | Network Security Analyst STEINMAN COMMUNICATIONS 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx 8 West King St | PO Box 1328, Lancaster, PA 17608-1328 -----Original Message----- From: Alex Rousskov [mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, April 29, 2016 11:13 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Cc: Markey, Bruce <bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx> Subject: Re: Using dont_verify_peer On 04/28/2016 02:32 PM, Markey, Bruce wrote: > I’ve been having to actually remove folks from the proxy so they could work. > I can’t deny users access to the sites they need. > all I really wanted was to keep stats on sites visited. Yours and many other passive monitoring use cases call for a non-intrusive or "stealth" splice. No TLS version enforcement, no [fatal] certificate validation errors, no errors returned to the user, just domain name logging and splicing. Supporting this stealthy mode requires a lot of work, and there is currently no sponsor to get us all the way to that goal, but I am optimistic that we will eventually get there. The automated certificate fetching (bug #4305) still needs to be supported, of course. It is a separate issue. Meanwhile, besides manually adding untrusted certificates as have been recommended by others, consider limiting peeking to step1 [in some cases]. This way, Squid will not see and validate the server certificate. If most of your traffic has SNI, and users are not trying to defeat your monitoring, then the logs may still contain enough info to produce the stats you want, even without seeing certificates. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
