Search squid archive

Re: Microsoft store issues with ssl-bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alex,

I am using the next stare rule:
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
ssl_bump stare tls_s2_client_hello

Which I am not sure about.
For now this issue seems to be gone.
I don't know why or how but it seems that some IP rotation is happening as we speak/write.
The IP address my service was accessing is different then the one now so I think what Amos
wrote is probably the real reason, ie that the service certificate was for another service CN/DNS Name.
While it's ok for the windows client it's not OK for Squid and any other SNI based certificate validator.

Thanks Helped and Helps,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx
Zoom: Coming soon


-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Alex Rousskov
Sent: Tuesday, January 12, 2021 5:15 PM
To: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re:  Microsoft store issues with ssl-bump

On 1/12/21 7:42 AM, Amos Jeffries wrote:
> IIRC latest Squid force the client to TLS/1.2 when
> preparing to bump, but may not for spliceand stare. So YMMV.

FTR: Bugs notwithstanding, modern Squid changes nothing on TLS level
when peeking, splicing, and/or terminating. Squid changes TLS bytes when
staring and/or bumping.

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux