Hello all, just wondering whether it is possible to perform SSLBump/SSLSplit for non-HTTPs connections. At the moment we are interested in FTPs. We are running Squid 3.4.2 version. Configured the SSLBump and in that case not able to receive SSL Certificates proxy:/etc/squid3# grep server-first squid.conf ssl_bump server-first all proxy:/etc/squid3# socat TCP-LISTEN:9999,reuseaddr,fork PROXY:127.0.0.1:www.ftpsservicedomain.net:990,proxyport=8080 proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts CONNECTED(00000003) 140535877478056:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 308 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- With ssl_bump disabled for the particular destination domain we are able to receive SSL Certificates: proxy:/etc/squid3# openssl s_client -connect localhost:9999 -showcerts CONNECTED(00000003) depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=www.ftpsservicedomain.net i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 -----BEGIN CERTIFICATE----- MIIGQzCCBCugAwIBAgITWgAAuYCRJAQnIMZ1CwABAAC5gDANBgkqhkiG9w0BAQsF .... In both cases the only log entry we see is the CONNECT request: 01/Jun/2016:10:16:23 +0200 681 127.0.0.1 TAG_NONE/200 0 CONNECT www.ftpsservicedomain.net:990 - HIER_DIRECT/www.ftpsservicedomain.net - [Host: www.ftpsservicedomain.net:990\r\n] [-] Best regards, -- Peter Viskup _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
