On 16/05/2016 5:48 p.m., admin wrote: > Hi! > > Squid 3.5.17 with SSL, intercept. Please upgrade to 3.5.19. > > I use SSL-Bump only step1 that get SNI and terminate HTTPS sites by > domain name. The certificate's is not replaced ! The certificate is never replaced. Though if you dont know how TLS works and look at it only from the client perspective it can appear to be so. The reality is you either have one TLS connection or two with different certificates on each. > > acl blocked_https ssl::server_name "/etc/squid/urls/block-url" > https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 > connection-auth=off cert=/etc/squid/squidCA.pem > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump terminate blocked_https > > It works. Obviously not. There is no instruction what to do other than terminate. Squid is left to other circumstances to decide what is needed... > > But if I use > > acl users_no_inet src "/etc/squid/ip-groups/no-inet" > http_access deny users_no_inet ... you force bumping to happen in order to deliver the HTTP error message. Try adding this rule above the peek (and the ACL line too): ssl_bump terminate users_no_inet > > I see NET::ERR_CERT_AUTHORITY_INVALID in browser. I import my squid > cert, but I see NET::ERR_CERT_COMMON_NAME_INVALID > > Why in this case, the squid trying to replace the certificate? There is no server connection or certificate in existence. So nothing exists to be replaced. What you are seeing is Squid using its own certificate to get a TLS connection it can deliver the HTTP error message through. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
