Search squid archive

Re: Squid SSL Intercept have issues apps on iOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/04/2017 11:38 p.m., prashantbhosale wrote:
> I was trying to setup Squid transparent SSLBump and its working. But it
> giving problem for Apple apps. 
> According to threads on mailing list excluded domains (.apple.com
> .icloud.com .mzstatic.com .akamaihd.net .dropbox.com) then App Store works
> (browsing apps, searching apps) but app installation(from App store) fails
> with below squid access log:
> 1491910115.715     51 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.226:443 -
> ORIGINAL_DST/17.154.66.226 -
> 1491910116.537     52 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.74:443 -
> ORIGINAL_DST/17.154.66.74 -

Please read
<http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>

The above log enties look like the step 1.i CONNECT requests to me.
TLS/SSL has not started at that point and ssl_bump has not even been
considered.

Later on ...

> sslproxy_cert_error allow all

... you have disabled all errors from being visible to anyone.
*including you*.

> sslproxy_flags DONT_VERIFY_PEER

... and you have disabled all TLS security protections.

> 
> Is anybody has working conf for sslbump with exclude the HTTP Public Key
> Pinning (HPKP) mechanism.

There is no way to know whether the pinning is being used, nor even what
software was being used. Some client IP connects and signals that it
needs TLS. Then exists as soon as TLS is sent ot it. End of story.

There are a large number of things that could be going on when a client
simply disappears like that. As humans we can know a lot of contextual
information about the whole situation and decide that its HPKP - but the
software on the spot when it happened does not have any of that extra
info to work with.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux