This works in another proxy which looks at the SNI only without any bump involved. Remember that Squid should splice the connection based on regex and server-name dst. On the other proxy this is what I have: Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn 192.168.189.X:64632 - 104.79.221.20:443 released [storeedgefd.dsx.mp.microsoft.com:443] Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn 192.168.189.X:64633 - 104.79.221.20:443 released [storeedgefd.dsx.mp.microsoft.com:443] Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn 192.168.189.X:64634 - 104.79.221.20:443 released [storeedgefd.dsx.mp.microsoft.com:443] Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn 192.168.189.X:64630 - 104.79.221.20:443 released [storeedgefd.dsx.mp.microsoft.com:443] Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn 192.168.189.X:64631 - 104.79.221.20:443 released [storeedgefd.dsx.mp.microsoft.com:443] Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 SNI:https://storeedgefd.dsx.mp.microsoft.com:443 Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 use parent : false, storeedgefd.dsx.mp.microsoft.com:443 Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 ip 192.168.189.X rate, current: 1/s, max: 20/s Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 conn 192.168.189.X:64667 - 104.79.221.20:443 connected [storeedgefd.dsx.mp.microsoft.com:443] Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 SNI:https://storeedgefd.dsx.mp.microsoft.com:443 Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 use parent : false, storeedgefd.dsx.mp.microsoft.com:443 Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 ip 192.168.189.X rate, current: 2/s, max: 20/s Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 conn 192.168.189.X:64669 - 104.79.221.20:443 connected [storeedgefd.dsx.mp.microsoft.com:443] So the regex: storeedgefd\.dsx\.mp\.microsoft\.com should work. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Lorenzo Marcantonio Sent: Tuesday, January 12, 2021 10:58 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Microsoft store issues with ssl-bump On Tue, Jan 12, 2021 at 10:33:00AM +0200, Eliezer Croitoru wrote: > > Any hints might help to find and resolve this issue >From my experience MS Update and probably the store too use custom root certificates; check if that's the case. It's also possible that that connection is so hardwired that it doesn't accept a redirect. So it sees that and become suspicious (Windows Update is extremely suspicious :D) For some antivirus (avast maybe? I don't remember) the updater actually checks the server certificate fingerprint so you can't bump it and you need a special NAT rule for all the fscking IPs it uses (if you set a proxy it does a connect BY IP and not by name, and the IPs are hardcoded and not resolved by DNS). So it is possible you can't bump a store connection (remember that technically a bump is a MITM intrusion that TLS is explicitely design to detect!) -- Lorenzo Marcantonio _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
