On 5/15/20 3:28 AM, David Touzeau wrote: > acl TestFinger server_cert_fingerprint 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9 > ssl_bump peek ssl_step2 > ssl_bump splice ssl_step3 TestFinger > ssl_bump stare ssl_step2 all > ssl_bump bump all > But no luck, website still decrypted. That should be expected: During step1, the only ssl_bump rule that matches now is ... "bump all". Also, you have two ssl_step2 rules but only the first one can match. Perhaps the first one has a typo, and you meant to put ssl_step1 there? Amos is correct that Squid uses SHA1. So does my openssl x509 (by default). However, FWIW, I get a different SHA1 fingerprint when I run your command: > openssl s_client -host www.clubic.com -port 443 2> /dev/null | openssl x509 -fingerprint -noout > SHA1 Fingerprint=2A:F4:A6:8E:31:15:AD:A5:52:A9:5F:03:80:42:BE:CA:01:12:2C:E7 Perhaps www.clubic.com uses different certificates for different clients. HTH, Alex. > Le 13/05/2020 à 21:33, Alex Rousskov a écrit : >> On 5/12/20 7:42 AM, David Touzeau wrote: >>> ssl_bump peek ssl_step1 >>> ssl_bump splice TestFinger >>> ssl_bump stare ssl_step2 all >>> ssl_bump bump all >>> Seems TestFinger Acls did not matches in any case >> You are trying to use step3 information (i.e., the server certificate) >> during SslBump step2: The "splice TestFinger" line is tested during >> step2 and mismatches because the server certificate is still unknown >> during that step. That mismatch results in Squid staring during step2. >> The "splice TestFinger" line is not tested during step3 because splicing >> is not possible after staring. Thus, Squid reaches "bump all" and bumps. >> >> For a detailed description of what happens (and what information is >> available) during each SslBump step, please see >> https://wiki.squid-cache.org/Features/SslPeekAndSplice >> >> Also, if you are running v4.9 or earlier, please upgrade. We fixed one >> server_cert_fingerprint bug, and that fix became a part of the v4.10 >> release (commit e0eca4c). >> >> >> HTH, >> >> Alex. > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
