On Sat, 26 Feb 2022 00:16:30 +1300 Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > [...] > > There are a few things to be aware of while troubleshooting: > > * not all TLS connections can be bump'ed. TLS is designed to prevent > exactly the type of decrypt that bump does. If the client and server are > using TLS properly bump *will* fail. > > > * Google are known to be rather pedantic about security. So having their > software at either end of the TLS when testing is more likely to hit > such non-decryptable TLS connections. > > > * Checking the test web service for TLS certificate pinning or DANE. > Both of these lock the/some client into using the original server > certificate and they will unavoidably reject the Squid signing CA. > > * Check traffic from the web server for HTTPS-Transport-Security or > Alt-Svc HTTP headers. Both of these can break SSL-Bump if they reach a > client. What is worse they can force arbitrarily long cache times for > the info they contain, causing breakage to extend across the whole > period. Only a full client purge of state and never receiving the info > again can via any protocol fix these. > > > Amos Hi Amos, this is very useful info; thank you. I've just added in some rules to drop the HSTS and Alt-Svc headers to avoid this trouble. Thanks for explaining step by step how these bump rules affect the proxy behavior. -- Dave Blanchard <dave@xxxxxxxxxxx> _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
