Search squid archive

Re: Microsoft store issues with ssl-bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/01/21 11:32 pm, NgTech LTD wrote:
Im saying that my config might be wrong and I will send you a full config save which can show you the whole setup like most vendors has.
I have upgraded squid in production.

Let me verify first before shouting "bug".

Eliezer


Okay. I see a few things to follow up on.


The other proxy logs show SNI as being "https://storeedgefd.dsx.mp.microsoft.com:443";. SNI should be only a name, not a full URL. So if we assume that log is correct the client is producing invalid SNI. This may be an issue for Squid, causing it to ignore the SNI value entirely.

The openssl tool connecting to the same IP address the other proxy claims to be going to gets "sfdataservice.microsoft.com" as the server name. In absence of valid SNI to work with that is the name your Squid will be trying to match against to decide splice vs bump.


The server prefers to use TLS/1.3 unless explicitly connected to with TLS/1.2 immediately. IIRC latest Squid force the client to TLS/1.2 when preparing to bump, but may not for spliceand stare. So YMMV.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux