On 26/11/17 00:52, James Lay wrote:
On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
On 25/11/17 08:30, James Lay wrote:
Topic says it...this setup has been working well for a long time, but
now there are some sites that are failing the TLS handshake. Here's
my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl
Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports http_access allow allowed_http_sites
http_access deny all ssl_bump peek all acl allowed_https_sites
ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice
allowed_https_sites ssl_bump terminate all
Because you have "peek all" being performed the transaction MUST pass
your regex patterns with both TLS SNI from the client *and* the server
certificate SubjectName values. Either one not matching will perform
that "terminate all" on the TLS handshake.
Thanks Amos...do you have a suggestion for changing this to match one or
the other instead of both?
Doing the splice check before the peek should do that. First one of the
server_names data sources to match will then splice and non-matches fall
through to either peek or terminate if no more peeking possible.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
