According to the logs bump was being performed before the change, so I don't follow.
If the lack of an acl step1 SslBump1 was the problem he would have no bumps or bumps with incorrect host names in the certificates. Right now it seems he either is bumping some connect request whatsapp doesn't want to be MITM or he is outright denying something, maybe something else entirely, without logs we cannot be sure.
Chico Venancio
Em 12/09/2016 12:46, "Yuri Voinov" <yvoinov@xxxxxxxxx> escreveu:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Both of you are caught in the access control list, completely lost sight of that op basically wrote the wrong general rules for bump, skipped step1 - SslBump1.
Which can be splice by server name without peek performing? Yes?
That is why he did not work. All the rest is not fundamental cosmetics and can be written and debugged later.
12.09.2016 21:40, Marcus Kool пишет:
>
>
> On 09/12/2016 12:15 PM, Chico Venancio wrote:
>> I'd think a regex consumes a lot more resources than server name, but don't know if it is significant.
>> Anyway, without more details we can't be sure the server name not matching is the problem.
>>
>> We need access logs and client(browser) details.
>>
>> By the way, acl excludeSSL ssl::server_name web.whatsapp.com <http://web.whatsapp.com>
>> Would not work, whatsapp uses some subdomains that also should not be bumped.
>
> squid.conf.documented seems to imply that you can add a dot to match the subdomains also, just like with dstdomain :
> acl excludeSSL ssl::server_name .web.whatsapp.com
>
> Be careful with the regex, it matches also web.whatsapp.com-24.site: it needs a $
>
> Marcus
>
>> Chico Venancio
>>
>>
>> Em 12/09/2016 11:42, "Yuri Voinov" <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> escreveu:
>>
>>
> Because ssl :: server_name_regex works reliably. As shown by my personal
> practice. But in general it is by op's choice.
>
>
> 12.09.2016 20:38, Marcus Kool пишет:
>
>
> > On 09/12/2016 11:14 AM, Yuri Voinov wrote:
>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
>
> >> Oooops,
>
> >> acl must be:
>
> >> acl excludeSSL ssl::server_name_regex web\.whatsapp\.com
>
> > why a regex?
> > why not the following ?
> > acl excludeSSL ssl::server_name web.whatsapp.com <http://web.whatsapp.com>
>
> > Marcus
> > _______________________________________________
> > squid-users mailing list
> > squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
>> http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJX1s2fAAoJENNXIZxhPexGRXoH/2TnA1g+ DuwwXsg5qugSngC/
3mcMtqtSZ8szaESp0ofCuGvB7f3pYU3pOpm6OAumyDDIO9bVmHX7QLDK4hkN WaUo
f8BICxg/zqDbIxLOJyMRo9kCyT3CT1hUd7F/ EtvAAcAUk68blAKupksYZ5gDSeN6
gY13RLeWoNgsaIZL+LgztRf8bKGepIK9vGFyIPvKXxYP0de y4/zndyjQbRf1ggtV
E8K/0xU6zaflcggKFPjBHWpekATRoza09/ +BT8T/THndf1CBybmAo7wOGi1oG6nu
1qw3H2X32DyDjIOQ+YV6NVjSDb0jPaj/taanT3W5F1/ VNhFshyw/IjIPLeoYw9k=
=TMa5
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users