Greetings
We're using Squid 3.5.19 with ssl bump,
and we want to tunnel (not bump) applications such as skype, that use pinned ssl,
so we defined an acl for splicing skype's ssl_server_name.
and we want to tunnel (not bump) applications such as skype, that use pinned ssl,
so we defined an acl for splicing skype's ssl_server_name.
However skype's client app uses client certificates that don't have SNI.
The only way to identify skype is its Common Name: *.dc.trouter.io
The only way to identify skype is its Common Name: *.dc.trouter.io
But the Common Name is available only in step3 of ssl bump,
where tunneling the connection is no longer possible (as documented in peek and splice step3 docs).
where tunneling the connection is no longer possible (as documented in peek and splice step3 docs).
What we get is bumping.
Is there a way we can tunnel an acl based on Common Name?
ty
http_port 3127
http_port 3128 intercept
https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4M
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update|
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
