De : squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de Amos Jeffries Envoyé : mardi 24 janvier 2017 01:01 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : Re: [3.5.23]: mozilla.org failed using SSL transparent SSL23_GET_SERVER_HELLO:unknown protocol On 24/01/2017 12:28 p.m., David Touzeau wrote: > Same issue with https://www.digitalocean.com/ is somebody did not > encounter the issue using Squid in transparent mode with SSL ?? > The TLS / HTTP Senvironment is in the process of stabilizing, but still quite volatile. Since the error message says "unknown protocol" I suspect it is something like WebSockets, HTTP/2 or SPDY which you are actually intercepting on port 443. Not HTTP/1 which Squid supports. Or maybe it is some non-TLS traffic that OpenSSL does not support. Mozilla do cert pinning, so teh bump/intercept should probably not work anyway. I'm not sure about digitalocean. ------------------------------------------------------------------------------------------------------------------------------------ Thanks Amos for the answer but... I did not want to bump these sites, only pass trough the squid port and process the request without try decrypting the protocol. Tried : acl nossl dstdomain -i .mozilla.org ssl_bump none nossl acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice all or acl nossl dst 104.16.40.2 ssl_bump none nossl acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice all But squid is still unable to process the request. Any workaround ? _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
