On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote: > I have a blanket block setup with Squid as Transparent proxy where > access it allowed only to github.com. But, squid generates certificates > for IP address instead of domain name and SSL validation fails. > Squid version: |3.5.25-20170408-r14154| > When I use curl > |curl: (51) SSL: certificate subject name (192.30.255.112) does not > match target host name 'github.com| > > How to configure properly to splice a whitelist and block all other > domains. Below is my current configuration > > http_port 3128 > http_port 3129 intercept > https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem > > acl whitelist ssl::server_name .github.com > acl step1 at_step SslBump1 > > ssl_bump peek step1 > ssl_bump splice whitelist > ssl_bump bump all > > Please help me fixing the issue. Any http_access rules? Is it possible that Squid denies the fake CONNECT request during step1 (before looking up SNI during step2)? What does access.log say? Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
