Search squid archive

Re: Trying to set up SSL cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 26 Feb 2022 00:16:30 +1300
Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

> [...]
>
> There are a few things to be aware of while troubleshooting:
> 
> * not all TLS connections can be bump'ed. TLS is designed to prevent 
> exactly the type of decrypt that bump does. If the client and server are 
> using TLS properly bump *will* fail.
> 
> 
> * Google are known to be rather pedantic about security. So having their 
> software at either end of the TLS when testing is more likely to hit 
> such non-decryptable TLS connections.
> 
> 
> * Checking the test web service for TLS certificate pinning or DANE. 
> Both of these lock the/some client into using the original server 
> certificate and they will unavoidably reject the Squid signing CA.
> 
> * Check traffic from the web server for HTTPS-Transport-Security or 
> Alt-Svc HTTP headers. Both of these can break SSL-Bump if they reach a 
> client. What is worse they can force arbitrarily long cache times for 
> the info they contain, causing breakage to extend across the whole 
> period. Only a full client purge of state and never receiving the info 
> again can via any protocol fix these.
> 
> 
> Amos

Hi Amos, this is very useful info; thank you. I've just added in some rules to drop the HSTS and Alt-Svc headers to avoid this trouble. Thanks for explaining step by step how these bump rules affect the proxy behavior.

-- 
Dave Blanchard <dave@xxxxxxxxxxx>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux