By the help of God.
If I'm using the self signed certificate that I created for the ssl bump, then the browser considers it as the same certificate for any domain I'm connecting to?
בתאריך יום ג׳, 22 בפבר׳ 2022 ב-7:35 מאת Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>:
Thanks Christos,
I was aware of such things but haven't seen such a case.
Is there any way to "reproduce" this?
I believe it should be documented in the wiki.
Thanks,
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Christos Tsantilas
Sent: Monday, February 21, 2022 11:41
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Splice certain SNIs which served by the same IP
Hi Ben,
When HTTP/2 is used, requests for two different domains may served using
the same TLS connection if both domains are served from the same remote
server and use the same TLS certificate.
There is a description here:
https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
And a similar problem report here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1176673
Regards,
Christos
On 14/2/22 3:49 μ.μ., Ben Goz wrote:
> By the help of God.
>
> Hi,
> Ny squid version is 4.15, using it on tproxy configuration.
>
> I'm using ssl bump to intercept https connection, but I want to splice
> several domains.
> I have a problem that when I'm splicing some google domains eg.
> youtube.com <http://youtube.com> then
> gmail.com <http://gmail.com> domain also spliced.
>
> I know that it is very common for google servers to host multiple
> domains on single server.
> And I suspect that when I'm splicing for example youtube.com
> <http://youtube.com> it'll also splices google.com <http://google.com>.
>
> Here are my squid configurations for the ssl bump:
>
> https_port xxxx ssl-bump tproxy generate-host-certificates=on
> options=ALL dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
>
> acl DiscoverSNIHost at_step SslBump1
>
> acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/url-no-bump"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i
> "/usr/local/squid/etc/url-no-bump-regexp"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
>
>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users