Search squid archive

Re: cannot open site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/18/21 4:44 AM, Amos Jeffries wrote:
> On 18/11/21 20:08, Majed Zouhairy wrote:
>> squid is using ssl bump

> TLS/1.3 handshakes are encrypted. It often cannot be bumped, only
> spliced. Check that traffic to this server is not attempting to
> bump/decrypt.

Just to clarify: IIRC, bugs notwithstanding, Squid basic ability to bump
connections to TLS server does not depend on the TLS version. For
example, if the decision to bump is made during step2, then Squid should
be able to bump connections to TLS v1.3 servers.

However, when dealing with TLS v1.3 servers, some SslBump configurations
may match ssl_bump rules that admins do not expect to be matched and may
result in generation of deficient fake certificates because the plain
text parts of the handshake do not contain the server certificate.

Due to the lack of server certificates in the plain text part of the
Squid-server handshake, peeking or staring at the TLS v1.3 server is a
lot less useful than peeking or staring at TLS servers that use earlier
TLS versions.


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux