Hey Alex, I'm not sure I understood hat these errorcde and error detai. I assume that there is a relevant debug_options for parsing the fingerprint. The next thing I was thinking about was the fingerprint validation related debug. To verify what might make squid to compare wrongly the SHA1 signature. I have attached the full squid.conf The more relevant parts are: ## START acl NoBump_server_regex ssl::server_name_regex -i "/etc/squid/no-ssl-bump-regex.list" acl NoBump_server_regex_by_urls_domain ssl::server_name_regex -i "/etc/squid/no-ssl-bump-urls-domains-regex.list" acl NoBump_server_name ssl::server_name "/etc/squid/no-ssl-bump-server-name.list" acl NoBump_dst dst "/etc/squid/no-ssl-bump-server-dst-addresses.list" acl NoBump_certificate_fingerprint server_cert_fingerprint "/etc/squid/no-ssl-bump-server-fingerprint.list" acl NoBump_src src "/etc/squid/no-ssl-bump-client-src.list" acl tls_to_splice any-of NoBump_src NoBump_server_name NoBump_server_regex_by_urls_domain NoBump_server_regex NoBump_dst NoBump_certificate_fingerprint bypass_src_helper acl Bump_server_regex ssl::server_name_regex -i "/etc/squid/ssl-bump-regex.list" acl Bump_server_regex_by_urls_domain ssl::server_name_regex -i "/etc/squid/ssl-bump-urls-domains-regex.list" acl Bump_server_name ssl::server_name "/etc/squid/ssl-bump-server-name.list" acl Bump_dst dst "/etc/squid/ssl-bump-server-dst-addresses.list" acl tls_to_bump any-of Bump_server_name Bump_server_regex_by_urls_domain Bump_server_regex Bump_dst sni_matcher_helper yandex_bl_checker_helper # TLS/SSL bumping definitions acl tls_s1_connect at_step SslBump1 acl tls_s2_client_hello at_step SslBump2 acl tls_s3_server_hello at_step SslBump3 ssl_bump peek tls_s1_connect ssl_bump splice tls_to_splice ssl_bump stare tls_s2_client_hello ssl_bump bump tls_to_bump ## END The fingerprint contains only 3 signatures and one of them is (Quoted as is): 1C:8C:EC:C8:C4:7F:DF:36:62:69:B1:6A:92:5A:AE:4A:F2:06:E6:B2 My setup is working fine except this fingerprint part which is not always the best way to splice. However it seems like it should be pretty straight forward. I can dump the whole config into a tar file to try and understand better the setup if required. Thanks, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> Sent: Wednesday, January 27, 2021 5:12 PM To: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: acl aclname server_cert_fingerprint On 1/26/21 2:09 AM, Eliezer Croitoru wrote: > I'm trying to understand what I'm doing wrong in the config that stil > lets edition.cnn.com be decrypted instead of spliced? If you still need help, please share the relevant parts of your configuration and logs. I would start with ssl_bump rules and access log records containing additional %error_code/%err_detail fields. Alex. > -----Original Message----- > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Tuesday, January 26, 2021 6:22 AM > To: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: acl aclname server_cert_fingerprint > > On 1/25/21 6:03 AM, Eliezer Croitoru wrote: >> I'm trying to use: >> acl aclname server_cert_fingerprint [-sha1] fingerprint >> >> >> I have cerated the next file: >> /etc/squid/no-ssl-bump-server-fingerprint.list >> >> And trying to use the next line: >> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1 >> "/etc/squid/no-ssl-bump-server-fingerprint.list" >> >> To be explicit despite that only sha1 is a valid checksum. >> Squid doesn't accept the above line > > > Does not accept how? What is the error message? > > >> but this one yes: >> acl NoBump_certificate_fingerprint server_cert_fingerprint >> "/etc/squid/no-ssl-bump-server-fingerprint.list" > >> Is there a reason for that? > > > The use of ACL options and ACL parameter options is poorly documented. > > Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca > says that server_cert_fingerprint is still broken. Not sure whether that > was true, whether some other commit has fixed that ACL, and whether the > problem mentioned in the commit message is related to your troubles. > https://bugs.squid-cache.org/show_bug.cgi?id=4847 > https://github.com/squid-cache/squid/pull/191 > > Also, according to my 2015 notes, server_cert_fingerprint happens to be > case sensitive. I consider that a bug. I am not sure, but I think Squid > expects uppercase hex letters (if any). I do not know whether that has > been fixed. > > > Finally, it is dangerous to list ACL parameter options like -sha1 in > front of parameter filename when that parameter file may contain its own > parameter options. A reader may think that -sha1 in squid.conf > overwrites, say, -sha256 in the parameter file, but that is not what > probably will happen when Squid starts supporting both options. > > That consideration may actually be the reason why Squid rejects your > first configuration sample (or perhaps it should be the reason even if > it does not). > > I am sure there are use cases where the admin wants to apply one > parameter option to the whole file, but the ambiguity is too dangerous > to allow IMO. We should make the choice explicit. > > > HTH, > > Alex. > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users >
Attachment:
squid.conf
Description: Binary data
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
