On 11/04/2017 11:38 p.m., prashantbhosale wrote: > I was trying to setup Squid transparent SSLBump and its working. But it > giving problem for Apple apps. > According to threads on mailing list excluded domains (.apple.com > .icloud.com .mzstatic.com .akamaihd.net .dropbox.com) then App Store works > (browsing apps, searching apps) but app installation(from App store) fails > with below squid access log: > 1491910115.715 51 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.226:443 - > ORIGINAL_DST/17.154.66.226 - > 1491910116.537 52 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.74:443 - > ORIGINAL_DST/17.154.66.74 - Please read <http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps> The above log enties look like the step 1.i CONNECT requests to me. TLS/SSL has not started at that point and ssl_bump has not even been considered. Later on ... > sslproxy_cert_error allow all ... you have disabled all errors from being visible to anyone. *including you*. > sslproxy_flags DONT_VERIFY_PEER ... and you have disabled all TLS security protections. > > Is anybody has working conf for sslbump with exclude the HTTP Public Key > Pinning (HPKP) mechanism. There is no way to know whether the pinning is being used, nor even what software was being used. Some client IP connects and signals that it needs TLS. Then exists as soon as TLS is sent ot it. End of story. There are a large number of things that could be going on when a client simply disappears like that. As humans we can know a lot of contextual information about the whole situation and decide that its HPKP - but the software on the spot when it happened does not have any of that extra info to work with. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
