On 28/08/20 8:12 pm, info@xxxxxxxxxxxx wrote: > > Hi Squid Community, > > the last weeks it felt that more and more websites are going to be > "incompatible" with Squid SSL bump. "feelings" aside, that is exactly the situation. SSL-Bump is literally a security attack on clients traffic. Exactly the thing TLS is designed to prevent. As all our official SSL-Bump documentation says very prominently: "when used properly TLS cannot be bumped". There was a long period where very few websites used TLS properly. The "HTTPS Everywhere" project has forced a lot of sites admin to get experience with HTTPS and over time more networks are actually starting to use it properly. Which version are you using now? > Some Websites are not displayed at all and a "403 Forbidden" from their > proxy is displayed, others are displayed very ugly because some CSS is > missing due to HTTP Error 403 on CSS resources. "their"? Whose proxy? If the problem is coming from a proxy that is not yours, contact its' sysadmin. > > Is there any way to tune SSL Bump for less problems with websites? > That depends on what you have configured (see below) and whether the sites you are interested in are capable of being bumped (see above). > Here some example websites which are not loading at all with SSL Bump: > > - forcepoint.com (Their Proxy displays: 403 forbidden) > - itsg.de (Squid: Connect reset by peer) > - leica-geosystems.com (Bad Request) > > Displayed very ugly because CSS Files gots HTTP Error 403 with SSL bump: > > - pyur.com > - help.nextcloud.com > - it feels like all websites with Discourse Forums are having problems > with ssl bump - css missing, very ugly > - many more > > This are only some examples. Who can reproduce this problems with its > own SSL Bump Squid? Am I doing something wrong with SSL Bump? Is Squid 5 > alerady better for this? > Which version are you using now? Exact version, as shown by squid -v, including OpenSSL library version. > Thanks for any help > Schroeffu > > My current cump conf is extremely simple, just the default: FYI; the *default* for SSL-Bump is not to exist. So no your config is way beyond default, simple as it is. > > http_port proxy03bs.tld.com:8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/subca.crt.pem > key=/etc/squid/certs/subca.key.ohnersa.pem > sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db > -M 4MB > ssl_bump bump !domains_dont_sslbump > This performs the bump action without any actual info from the TLS server being "bumped". So of course you can expect a lot of problems with that. A "reliable" (as much as it can be) configuration looks at the TLS handshake from each endpoint before deciding which details to pass on and which to change: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice domains_dont_sslbump ssl_bump stare all ssl_bump bump all Adding in your whitelist of non-bump domains would look like: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice domains_dont_sslbump ssl_bump stare all ssl_bump bump all HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
