On 10/05/2016 10:34 p.m., turgut kalfaoğlu wrote: > Hello everyone.. > > My setup -- this is for speeding up the home ADSL.. > > https_port 3129 intercept ssl-bump \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \ > cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem > sslproxy_cert_adapt setCommonName ssl::certDomainMismatch Are you sure Squid is actually running this config file? Where is the definition for this ACL you named "ssl::certDomainMismatch". Note that name and type of ACL are different things. Name is a text string usually assigned by you. Type is how and what it matches against when used. > sslproxy_cert_error allow all TLS is security. Ignoring all security errors is not good. > sslproxy_flags DONT_VERIFY_PEER The above flag should not be used outside some very specific debugging circumstances. It breaks the other config settings about what to do with errors. > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > sslcrtd_children 20 startup=3 idle=1 > ssl_bump server-first all > > This works well for facebook, gmail, google, and probably others.. > But https://sahibinden.com , whatever they are doing fails - the page > appears broken. > I tried broken_sites acl trick, did not help. > Two reasons possibly for that: 1) Order is important. The exact ordering of the ssl_bump rules will determine which gets applied. If "server-first all" is listed about "non broken_sites". Then the broken sites workaround will never be attempted. 2) you are intercepting traffic. This means that the destination server name is not available to either of server-first or "none" ations. All you have to work with is the server raw-IP presented by TCP layer. You need to upgrade to the peek-and-splice configuration actions for server name and other TLS detail based workarounds to be useful. > acl broken_sites ssl::server_name .sahibinden.com > acl broken_sites ssl::server_name image5.sahibinden.com This second entry should not be. The top entry overlaps. > acl broken_sites ssl::server_name .shbdn.com > ssl_bump none broken_sites > > Does anyone have any ideas what else I can try? Are you using the very latest 3.5.19 release? If not please upgrade your Squid. If you are please upgrade your config rules. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
