Hi Amos,
Thanks for your explanation.
Could you instruct me how to install squid v5 based on CentOS 7?
Based on url https://wiki.squid-cache.org/SquidFaq/BinaryPackages#KnowledgeBase.2FCentOS.Stable_Repository_Package_.28like_epel-release.29, CentOS seems not support squid v5.
BR,
Michael
Amos Jeffries <squid3@xxxxxxxxxxxxx> 於 2020年3月20日 週五 下午5:29寫道:
On 20/03/20 8:27 pm, Michael Chen wrote:
> Hi Amos,
> May I know which function Squid v3.5.28 cannot do for my scenario?
> Because Squid v3.5 still has command of cache_peer and ssl .....
>
TLS is a volatile environment, with many changes going on constantly.
Squid-3 has been deprecated since 2018 and is far behind in support
needed for current TLS practices.
Especially when bumping you should always have the latest Squid version.
This first bit can be tested with Squid-3. It is just about getting a
secure connection to the peer, any Squid should be able to do that.
Ensure that the peer proxy is delivering its CA *chain* properly.
* All the intermediates should be supplied during the server handshake.
* cache_peer should only need the root CA for that chain. Configured in
the sslca= or tls-ca= option.
At this point your Squid should be able to pass traffic to the peer.
Test that with regular http:// URL requests to your Squid. *Not* HTTPS
or bumped traffic.
You can test this following with Squid-3, but do not expect it to work
very well. Squid-4 is better in a lot of cases, but still not completely.
Your ssl_bump rules should peek at the client cert, then stare at the
server cert, then bump the crypto. Like so:
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
