On 22/11/19 9:19 am, Monah Baki wrote: > I added the following: > > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > > and it works now. > > In my access.log: > > 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT > static.xx.fbcdn.net:443 <http://static.xx.fbcdn.net:443>" 200 4199 "-" > "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" > 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbcdn.net:443 > <http://fbcdn.net:443>" 200 5431 "-" "Mozilla/5.0 (Windows NT 10.0; > WOW64; Trident/7.0; rv:11.0) like Gecko" > 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbsbx.com:443 > <http://fbsbx.com:443>" 200 5439 "-" "Mozilla/5.0 (Windows NT 10.0; > WOW64; Trident/7.0; rv:11.0) like Gecko" > 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT > connect.facebook.net:443 <http://connect.facebook.net:443>" 200 6085 "-" > "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" > 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT www.cnn.com:443 > <http://www.cnn.com:443>" 200 155123 "-" "Mozilla/5.0 (Windows NT 10.0; > WOW64; Trident/7.0; rv:11.0) like Gecko" > > > So since I am new to sslbump, what am I benefiting from this? You are not benefiting. Problems the users ask you to track down with TLS will now be hidden from your debugging attempts. Users TLS can now be intercepted and the traffic replaced by anyone. You will not be shown the signs of that happening since you told Squid to hide them. > able to see unencrypted data? No more than before. Its just that Squid will no longer attempt to verify the certs are valid or report in logs etc about problems. Basically your users traffic can now be intercepted by anybody, anywhere along the Internet paths and replaced with other content - your Squid will not report anything amiss. Basically any TLS through your proxy is no longer secure. In general you will always see sites having trouble with TLS. This is normal, expected, and sometimes a *good* thing. Change your focus to identifying *what* is failing for each site that you want to work but fails. Sometimes it is a problem you can fix, sometimes can be ignored (sslproxy_cert_error directive is for these). But definitely decide what to do case-by-case instead of "allow all". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users