-----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Tuesday, January 12, 2021 2:42 PM To: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: Re: Microsoft store issues with ssl-bump On 12/01/21 11:32 pm, NgTech LTD wrote: > Im saying that my config might be wrong and I will send you a full > config save which can show you the whole setup like most vendors has. > I have upgraded squid in production. > > Let me verify first before shouting "bug". > > Eliezer > > The other proxy logs show SNI as being > "https://storeedgefd.dsx.mp.microsoft.com:443";. SNI should be only a >name, not a full URL. So if we assume that log is correct the client is >producing invalid SNI. This may be an issue for Squid, causing it to > ignore the SNI value entirely. It’s only fprint the does this with https://XYZ:port It sees only the ip + domain(plain SNI) + port > The openssl tool connecting to the same IP address the other proxy > claims to be going to gets "sfdataservice.microsoft.com" as the server > name. In absence of valid SNI to work with that is the name your Squid > will be trying to match against to decide splice vs bump. So squid tried to match only the certificate and not the SNI? >From what I see the SNI is ok with the certificate version 3 extensions ie DNS=XYZ (it should, I cannot verify this against the server at the moment.) > The server prefers to use TLS/1.3 unless explicitly connected to with > TLS/1.2 immediately. IIRC latest Squid force the client to TLS/1.2 when > preparing to bump, but may not for spliceand stare. So YMMV. OK Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
