On 1/26/21 2:09 AM, Eliezer Croitoru wrote: > I'm trying to understand what I'm doing wrong in the config that stil > lets edition.cnn.com be decrypted instead of spliced? If you still need help, please share the relevant parts of your configuration and logs. I would start with ssl_bump rules and access log records containing additional %error_code/%err_detail fields. Alex. > -----Original Message----- > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Tuesday, January 26, 2021 6:22 AM > To: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: acl aclname server_cert_fingerprint > > On 1/25/21 6:03 AM, Eliezer Croitoru wrote: >> I'm trying to use: >> acl aclname server_cert_fingerprint [-sha1] fingerprint >> >> >> I have cerated the next file: >> /etc/squid/no-ssl-bump-server-fingerprint.list >> >> And trying to use the next line: >> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1 >> "/etc/squid/no-ssl-bump-server-fingerprint.list" >> >> To be explicit despite that only sha1 is a valid checksum. >> Squid doesn't accept the above line > > > Does not accept how? What is the error message? > > >> but this one yes: >> acl NoBump_certificate_fingerprint server_cert_fingerprint >> "/etc/squid/no-ssl-bump-server-fingerprint.list" > >> Is there a reason for that? > > > The use of ACL options and ACL parameter options is poorly documented. > > Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca > says that server_cert_fingerprint is still broken. Not sure whether that > was true, whether some other commit has fixed that ACL, and whether the > problem mentioned in the commit message is related to your troubles. > https://bugs.squid-cache.org/show_bug.cgi?id=4847 > https://github.com/squid-cache/squid/pull/191 > > Also, according to my 2015 notes, server_cert_fingerprint happens to be > case sensitive. I consider that a bug. I am not sure, but I think Squid > expects uppercase hex letters (if any). I do not know whether that has > been fixed. > > > Finally, it is dangerous to list ACL parameter options like -sha1 in > front of parameter filename when that parameter file may contain its own > parameter options. A reader may think that -sha1 in squid.conf > overwrites, say, -sha256 in the parameter file, but that is not what > probably will happen when Squid starts supporting both options. > > That consideration may actually be the reason why Squid rejects your > first configuration sample (or perhaps it should be the reason even if > it does not). > > I am sure there are use cases where the admin wants to apply one > parameter option to the whole file, but the ambiguity is too dangerous > to allow IMO. We should make the choice explicit. > > > HTH, > > Alex. > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
