Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

[Sid]

Thank you Alex.

>Sounds good. Does the generated fake certificate contain the right origin
server name? 
Sid: Yes, It does contain correct IP Address in Server name sent by client.
 

>Why do you expect the client to send a client certificate to Squid? In most
deployments, TLS servers do not request client certificates and, hence, TLS
clients do not send client certificates. IIRC, you did not configure your
Squid to request a client certificate from the client? 

>Or is there a terminology problem where "client certificate sent to 
Squid" means something other than "an x509 certificate requested by a 
TLS server and sent to that server by a TLS client during TLS 
handshake"? Please note that Squid is a TLS server in this context. 

Sid: Actually in my case Server is looking for a certificate to be sent by
client; it isn't a Web Server but SBC looking for a certificate sent by
a client to grant further voice & video call. How to configure Squid to get
this certificate from client for mutual authentication?

>Perhaps the alert may not be related to certificate validation. If you want
to verify whether UCAppsCA.pem is enough to trust the origin server, you can
use "curl" or "openssl s_client" tools for a test. They should fail to
validate the server when not configured to use UCAppsCA.pem and they should
succeed otherwise. 

Sid: I have tried following which shows "Verify return code: 0 (ok)":
openssl s_client -connect :443 -CAfile
/usr/local/squid/etc/UCAppsCA.pem






--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] redirect based on url (302)

[Amos Jeffries]

On 31/10/18 11:27 PM, uppsalanet wrote:
> Hi Amos,
> Is there a git that I can use to push stuff up?
> 

Do you mean to make a change PR against the official code?

The key details for people wanting to assist with Squid development are
linked from here: 



> I think you need to split the string in an other way, look into this
> example:
> #!/usr/bin/perl
> use strict;
> use warnings;
> 
> $|=1;
> while (<>) {
>  my $string = $_;
>  print "Received '\$_' = ".$_."\n";   
> 
>  $string =~ m/^(\d+)\s(.*)$/;
>  print "After regexp '\$string' = ".$string."\n";
>  print "After regexp '\$1' = ".$1."\n";   
>  print "After regexp '\$2' = ".$2."\n"; 
> 
>  ### Original split from sorce ###
>  ### This doesn't split anything looks like elements of an array?
>  #my ($cid, $uid) = ($1, $2);
> 
>  ### Split the string ###
>  ### Those two split based on one or more spaces
>  #my ($cid, $uid) = split(/\s+/ ,$_);
>  my ($cid, $uid) = split;
>  $cid =~ s/%(..)/pack("H*", $1)/ge;
>  $uid =~ s/%(..)/pack("H*", $1)/ge;
>  print "After split \$cid = ".$cid."\n";
>  print "After split \$uid = ".$uid."\n";
> }
> 
> Output from above with intake value '*130.238.000.00 muse.jhu.edu -*':
> Received '$_' = 130.238.000.00 muse.jhu.edu -
> After regexp '$string' = 130.238.000.00 muse.jhu.edu -
> /Use of uninitialized value $1 in concatenation (.) or string at
> ./sed_test_reg.pl line 13, <> line 1.
> After regexp '$1' = 
> Use of uninitialized value $2 in concatenation (.) or string at
> ./sed_test_reg.pl line 14, <> line 1.
> After regexp '$2' = /
> *After split $cid = 130.238.000.00
> After split $uid = muse.jhu.edu*
> 


$cid should be the concurrency channel ID.  Configured with the
"concurrency=N" option to external_acl_type in squid.conf. (Seems I
missed another bit of the config.)

If you are wanting to assist with fixing the helper, it could do with a
change to auto-detect whether the first column is a CID (numeric only)
or not (anything but whitespace following a numeral).


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR The requested URL could not be retrieved

[Amos Jeffries]

On 1/11/18 4:08 AM, Uchenna Nebedum wrote:
> Thanks a lot Amos, I really didn't notice I had been sending private
> emails, Really sorry about that. 
> 
> About the config, The proxy works fine now, it bumps the traffic
> successfully.
> I've added the sites i want to be bumped but the browser errors thrown
> are too much, and it's a scenario where I can't install the certificate
> on every device.

In that case you already have it going as well as it will ever do for
this setup. Having the certificate installed on the device is the only
way to prevent the warning messages. The whole point of TLS is to
generate those warnings when an unknown or untrusted CA is used.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

[Alex Rousskov]

On 10/30/18 10:59 PM, Sid wrote:

> Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks
> between Client & Squid and then between Squid & Server. I can see client
> being sent fake cert generated by Squid & client responds with "Client key
> Exchange", "Change cipher spec", "Encrypted Handshake Message". 

Sounds good. Does the generated fake certificate contain the right
origin server name?


> But I can't see actual client certificate sent to Squid.

Why do you expect the client to send a client certificate to Squid? In
most deployments, TLS servers do not request client certificates and,
hence, TLS clients do not send client certificates. IIRC, you did not
configure your Squid to request a client certificate from the client?

Or is there a terminology problem where "client certificate sent to
Squid" means something other than "an x509 certificate requested by a
TLS server and sent to that server by a TLS client during TLS
handshake"? Please note that Squid is a TLS server in this context.


> Is there a way to decypt in Wireshark. 

Yes, there are several ways, including giving Wireshark your Squid's
private certificate key. Sorry, I do not have detailed instructions.
Please note that the encrypted part probably does not matter -- in most
cases prior to TLS v1.3, it is the plain text Hellos that are important
when it comes to bumping the connection.


> In Wireshark between Squid & Server I can see Squid responding
> with "61 Alert (Level: Fatal, Description: Internal Error)".

> Alex: Is your Squid configured to trust those internal CAs? If not, Squid
> would not be able to validate the server certificate. 

> Sid: I have added those chained certificates as following in squid.conf
> tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem
> sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem

Perhaps the alert may not be related to certificate validation. If you
want to verify whether UCAppsCA.pem is enough to trust the origin
server, you can use "curl" or "openssl s_client" tools for a test. They
should fail to validate the server when not configured to use
UCAppsCA.pem and they should succeed otherwise.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.25 does not recognise ICAP 408 status code

[Alex Rousskov]

On 10/31/18 11:20 AM, Arunabha Saha wrote:
>>As with any timeout, it is impossible to say in general which side of
>>the connection is at fault. This case has at least three sides: It could
>>be the HTTP agent, Squid, and/or the ICAP service. Did one of them stall
>>the transaction? Or was the ICAP service just too impatient? See option
>>#4 below.

> I've tried to track this down.   There are some  persistent sockets used
> by SaaS apps for APIs (otservice api from google sites) and sometimes
> the HTTP response takes a long time to trickle in.  I have seen upto 25
> seconds for the response body to trickle in after the response header.

Glad you found the culprit!

 
> The timeout at 10 seconds is somewhat aggressive so moving
> that up should help but some code changes in either squid or icap as
> suggested look necessary.

If you do not want to modify Squid, then the ICAP service should tell
Squid what to do with the timed out HTTP transaction (e.g., respond with
ICAP 204 or ICAP 200) instead of telling Squid that the service does not
know what to do (i.e. respond with ICAP 408). When the service does not
know what to do, Squid does not know what to do either, resulting in
transaction errors (that Squid blames the ICAP service for).

Please note that teaching Squid about the special meaning of ICAP 408
(Timeout) responses is not enough to address the problem -- Squid would
still need to know what to do with the HTTP transaction (e.g. block it,
pass through as is, or abort) and with the service (count a service
failure or ignore the timeout). Those decisions are likely to be
different for different admins/deployments.

Alex.

> I was referring to the c-icap implementation.

> On 10/30/18 6:45 PM, Arunabha Saha wrote:
> 
> > Squid 3.5.25 does not seem to recognise the 408 request timeout error
> > code from ICAP.
> 
> Squid effectively recognizes ICAP 408 response as an ICAP transaction
> error response and blames the ICAP service for that error. That
> (minimal) support can be improved, of course. See options #1 and #3
> below.
> 
> 
>  
> 
> 
> Needless to say, treating all ICAP service timeouts as if nothing bad
> happened would break some existing Squid deployments (while possibly
> fixing yours). A proper general solution (option #3 below) would most
> likely require making Squid behavior configurable.
> 
> 
> > The more troublesome issue for me is the exception it generates
> and then
> > declares ICAP down after a certain number of such exceptions.    
> >
> > I don't want to disable the failure limit entirely given that we can
> > often have genuine failures that squid needs to detect.   
> >
> > What i'd like to see is squid should not throw an exception in this
> > case.
> 
> The "exception" is a minor low-level/technical detail. What you really
> want to see is Squid blaming itself (rather than the ICAP service) for
> the problem. Squid indeed lacks that kind of functionality, but it can
> be added if really needed. See options #1 and #3 below.
> 
> 
> > The timeout is somewhat aggressive but works with an earlier
> > version of ICAP (0.1.x).  The one i'm testing is 0.5.3.
> 
> Please note that ICAP is a protocol, not a product/software name. It
> probably does not matter what ICAP service you are using though.
> 
> 
> > Any suggestions?
> 
> I can suggest a few options, in no particular order:
> 
> 1. Modify your Squid to treat 408 differently.
> 2. Modify your ICAP service to stop sending ICAP 408 responses to Squid.
> 3. Add proper ICAP timeout support feature to Squid.
> 4. Investigate why your ICAP service times out. If you are lucky, you
>    may be able to fix or work around the problem by adjusting Squid
>    and/or your ICAP service configuration.
> 
> For option #1, Adaptation::Icap::ModXact::parseIcapHead() may be a good
> starting point.
> 
> For options #1 and #3, see also
> 
> https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
> 
> In most cases, option #4 is the best first step but YMMV.
> 
> 
> HTH,
> 
> Alex.
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Hello Samuel,

Yes will make the Docker when 7.0 is in beta stage, now we need to polish it a 
little.
Added issue at https://github.com/diladele/websafety-issues/issues/1030

Best regards,
Rafael Akchurin
Diladele B.V.

From: squid-users  On Behalf Of S 
Irlapati
Sent: Wednesday, 31 October 2018 19:54
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with 
sslbump support from sources in Debian unstable)


Is it possible to make a docker image for this?
On 10/31/18 12:23 PM, Rafael Akchurin wrote:
Greeting all,

The online repository with latest Squid 4.4 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid44.diladele.com. 
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.

Hope you will find this helpful. Note that older repo of squid43.diladele.com 
will be taken down in two weeks.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid44.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid44.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient






___

squid-users mailing list

squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with sslbump support from sources in Debian unstable)

[S Irlapati]

Is it possible to make a docker image for this?

On 10/31/18 12:23 PM, Rafael Akchurin wrote:


Greeting all,

The online repository with latest Squid 4.4 (rebuilt from Debian 
unstable with sslbump support) for Ubuntu 18 LTS 64-bit is available 
at squid44.diladele.com. Github repo at 
https://github.com/diladele/squid-ubuntu contains the scripts we used 
to make this compilation.


Hope you will find this helpful. Note that older repo of 
squid43.diladele.com will be taken down in two weeks.


Best regards,

Rafael Akchurin

Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more 
information see readme at https://github.com/diladele/squid-ubuntu .


# add diladele apt key

wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo 
apt-key add -


# add repo

echo "deb http://squid44.diladele.com/ubuntu/ 
 bionic main" > 
/etc/apt/sources.list.d/squid44.diladele.com.list


# update the apt cache

apt-get update

# install

apt-get install squid-common

apt-get install squid

apt-get install squidclient


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 18 LTS repository for Squid 4.4 (rebuilt with sslbump support from sources in Debian unstable)

[Rafael Akchurin]

Greeting all,

The online repository with latest Squid 4.4 (rebuilt from Debian unstable with 
sslbump support) for Ubuntu 18 LTS 64-bit is available at squid44.diladele.com. 
Github repo at https://github.com/diladele/squid-ubuntu contains the scripts we 
used to make this compilation.

Hope you will find this helpful. Note that older repo of squid43.diladele.com 
will be taken down in two weeks.

Best regards,
Rafael Akchurin
Diladele B.V.

P.S. Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add repo
echo "deb http://squid44.diladele.com/ubuntu/ bionic main" > 
/etc/apt/sources.list.d/squid44.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install squid-common
apt-get install squid
apt-get install squidclient



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.25 does not recognise ICAP 408 status code

[Arunabha Saha]

>As with any timeout, it is impossible to say in general which side of
>the connection is at fault. This case has at least three sides: It could
>be the HTTP agent, Squid, and/or the ICAP service. Did one of them stall
>the transaction? Or was the ICAP service just too impatient? See option
>#4 below.
I've tried to track this down.   There are some  persistent sockets used by
SaaS apps for APIs (otservice api from google sites) and sometimes the HTTP
response takes a long time to trickle in.  I have seen upto 25 seconds for
the response body to trickle in after the response header.   I don't know
yet if this is due to network delays but given that it happens only for
this particular uri I'm theorizing that this is how it works.I can
whitelist the one i am aware of that is causing this issue but again the
concern is what about others that might throw this exception.The
timeout at 10 seconds is somewhat aggressive so moving that up should help
but some code changes in either squid or icap as suggested look necessary.

>Please note that ICAP is a protocol, not a product/software name. It
>probably does not matter what ICAP service you are using though.

Correct.  I was referring to the c-icap implementation.

On Wed, Oct 31, 2018 at 5:00 AM 
wrote:

> Send squid-users mailing list submissions to
> squid-users@lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> squid-users-requ...@lists.squid-cache.org
>
> You can reach the person managing the list at
> squid-users-ow...@lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>1.
> On 10/30/18 6:45 PM, Arunabha Saha wrote:
>
> > Squid 3.5.25 does not seem to recognise the 408 request timeout error
> > code from ICAP.
>
> Squid effectively recognizes ICAP 408 response as an ICAP transaction
> error response and blames the ICAP service for that error. That
> (minimal) support can be improved, of course. See options #1 and #3 below.
>
>
>

>
> Needless to say, treating all ICAP service timeouts as if nothing bad
> happened would break some existing Squid deployments (while possibly
> fixing yours). A proper general solution (option #3 below) would most
> likely require making Squid behavior configurable.
>
>
> > The more troublesome issue for me is the exception it generates and then
> > declares ICAP down after a certain number of such exceptions.
> >
> > I don't want to disable the failure limit entirely given that we can
> > often have genuine failures that squid needs to detect.
> >
> > What i'd like to see is squid should not throw an exception in this
> > case.
>
> The "exception" is a minor low-level/technical detail. What you really
> want to see is Squid blaming itself (rather than the ICAP service) for
> the problem. Squid indeed lacks that kind of functionality, but it can
> be added if really needed. See options #1 and #3 below.
>
>
> > The timeout is somewhat aggressive but works with an earlier
> > version of ICAP (0.1.x).  The one i'm testing is 0.5.3.
>
> Please note that ICAP is a protocol, not a product/software name. It
> probably does not matter what ICAP service you are using though.
>
>
> > Any suggestions?
>
> I can suggest a few options, in no particular order:
>
> 1. Modify your Squid to treat 408 differently.
> 2. Modify your ICAP service to stop sending ICAP 408 responses to Squid.
> 3. Add proper ICAP timeout support feature to Squid.
> 4. Investigate why your ICAP service times out. If you are lucky, you
>may be able to fix or work around the problem by adjusting Squid
>and/or your ICAP service configuration.
>
> For option #1, Adaptation::Icap::ModXact::parseIcapHead() may be a good
> starting point.
>
> For options #1 and #3, see also
>
> https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
>
> In most cases, option #4 is the best first step but YMMV.
>
>
> HTH,
>
> Alex.
>
>
> --
>
> Message: 2
> Date: Tue, 30 Oct 2018 23:59:18 -0500 (CDT)
> From: Sid 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 4.3: SSL Bump fails to send client
> certificate
> Message-ID: <1540961958277-0.p...@n4.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
> Thank you Alex for the reply.
>
> Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should
> forward SNI it received from the client to the server, provided the client
> actually sent SNI. Did your client send SNI?
>
> Sid: I can see in Client Hello IP Address being sent by Client; so there is
> no SNI from client itself.
>
> Alex: 2. Bugs notwithstanding, the implied order of events is not what
> actually happens: Squid, as configured, does _not_ fo

Re: [squid-users] ERROR The requested URL could not be retrieved

[Uchenna Nebedum]

Thanks a lot Amos, I really didn't notice I had been sending private
emails, Really sorry about that.

About the config, The proxy works fine now, it bumps the traffic
successfully.
I've added the sites i want to be bumped but the browser errors thrown are
too much, and it's a scenario where I can't install the certificate on
every device.

So i wanted to know if there was a way to reduce the privacy errors. thanks
a lot.

Uchenna Nebedum

On Wed, Oct 31, 2018, 03:07 Amos Jeffries  wrote:

> On 31/10/18 1:45 AM, Uchenna Nebedum wrote:
> > Thanks a lot it works now... I've added site bumping exceptions, and it
> > still throws invalid certificate exceptions even though it uses the
> > 'ssl_bump stare' configuration, is it possible to reduce the errors?
> >
> > Uchenna Nebedum
> >
>
> Maybe, the above is a bit vague on details.
>
> What exactly do you have configured now after those changes?
>
> And what exact error(s) are you seeing now?
>
>
> Amos
>
> PS. please reply to the list instead of me personally.
>
> PPS. If you want dedicated support I do provide it commercially, but you
> started this on-list so I assume you are not wanting to receive an
> invoice for responses.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] bank blocked

[Marcus Kool]

When there is an issue with a certificate, it is good practice to go to ssllabs 
to verify what is going on.

https://www.ssllabs.com/ssltest/analyze.html?d=i.bps%2dsberbank.by&hideResults=on&latest
shows that there is an incomplete certificate chain issue (in orange) which 
means that the server of the bank does not send all (intermediate) certificates.
Click on the blue '+' of certification paths and it shows that the 'GeoTrust 
RSA CA 2018' (intermediate certificate) had to be downloaded.

The messages are not from Squid but from ufdbGuard which apparently is 
configured with an option to block the URL is case of a certificate issue.
Since Squid already checks for valid certificate chains, I suggest to turn this 
option off in ufdbGuard.

Marcus


On 31/10/2018 11:48, Vacheslav wrote:

I do not use bump or splice if that is what you mean. I do not import 
certificates.. it works without proxy.

-Original Message-
From: squid-users  On Behalf Of 
Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] bank blocked

On 31.10.18 17:41, Vacheslav wrote:

2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: 
UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *
2018-10-31 17:34:45 [4270]issuer: /C=US/O=DigiCert 
Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018


does your system recopgnize this authority? Do have actual list of CAs?


2018-10-31 17:34:45 [4270]subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head 
Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has 
error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK -10.17.10.17 config 
https-option  i.bps-sberbank.by:443 CONNECT

What is wrong?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] bank blocked

[Vacheslav]

I do not use bump or splice if that is what you mean. I do not import 
certificates.. it works without proxy.

-Original Message-
From: squid-users  On Behalf Of 
Matus UHLAR - fantomas
Sent: Wednesday, October 31, 2018 5:46 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] bank blocked

On 31.10.18 17:41, Vacheslav wrote:
>2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: 
>UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *
>2018-10-31 17:34:45 [4270]issuer: /C=US/O=DigiCert 
>Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

does your system recopgnize this authority? Do have actual list of CAs?

>2018-10-31 17:34:45 [4270]subject: /C=BY/L=Minsk/O=BPS-Sberbank 
>OAO/OU=Head Office/CN=*.bps-sberbank.by
>2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has 
>error code 12. It is marked as a TLS/SSL certificate issue
>2018-10-31 17:34:45 [4270] BLOCK -10.17.10.17 config 
>https-option  i.bps-sberbank.by:443 CONNECT
>
>What is wrong?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] bank blocked

[Matus UHLAR - fantomas]

On 31.10.18 17:41, Vacheslav wrote:

2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: 
UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *
2018-10-31 17:34:45 [4270]issuer: /C=US/O=DigiCert 
Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018


does your system recopgnize this authority? Do have actual list of CAs?


2018-10-31 17:34:45 [4270]subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head 
Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has 
error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK -10.17.10.17 config 
https-option  i.bps-sberbank.by:443 CONNECT

What is wrong?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 
___

squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] bank blocked

[Vacheslav]

Peace,

Here is the log ufdbguard:

2018-10-31 17:34:45 [4270] TLSv1.2 certificate for i.bps-sberbank.by:443: 
UNRECOGNISED ISSUER  (maybe a certificate chain issue)  *
2018-10-31 17:34:45 [4270]issuer: /C=US/O=DigiCert 
Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
2018-10-31 17:34:45 [4270]subject: /C=BY/L=Minsk/O=BPS-Sberbank OAO/OU=Head 
Office/CN=*.bps-sberbank.by
2018-10-31 17:34:45 [4270] TLSv1.2 connection to i.bps-sberbank.by:443 has 
error code 12. It is marked as a TLS/SSL certificate issue
2018-10-31 17:34:45 [4270] BLOCK -10.17.10.17 config 
https-option  i.bps-sberbank.by:443 CONNECT

What is wrong?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] redirect based on url (302)

[uppsalanet]

Hi Amos,
Is there a git that I can use to push stuff up?

I think you need to split the string in an other way, look into this
example:
#!/usr/bin/perl
use strict;
use warnings;

$|=1;
while (<>) {
 my $string = $_;
 print "Received '\$_' = ".$_."\n";   

 $string =~ m/^(\d+)\s(.*)$/;
 print "After regexp '\$string' = ".$string."\n";
 print "After regexp '\$1' = ".$1."\n";   
 print "After regexp '\$2' = ".$2."\n"; 

 ### Original split from sorce ###
 ### This doesn't split anything looks like elements of an array?
 #my ($cid, $uid) = ($1, $2);

 ### Split the string ###
 ### Those two split based on one or more spaces
 #my ($cid, $uid) = split(/\s+/ ,$_);
 my ($cid, $uid) = split;
 $cid =~ s/%(..)/pack("H*", $1)/ge;
 $uid =~ s/%(..)/pack("H*", $1)/ge;
 print "After split \$cid = ".$cid."\n";
 print "After split \$uid = ".$uid."\n";
}

Output from above with intake value '*130.238.000.00 muse.jhu.edu -*':
Received '$_' = 130.238.000.00 muse.jhu.edu -
After regexp '$string' = 130.238.000.00 muse.jhu.edu -
/Use of uninitialized value $1 in concatenation (.) or string at
./sed_test_reg.pl line 13, <> line 1.
After regexp '$1' = 
Use of uninitialized value $2 in concatenation (.) or string at
./sed_test_reg.pl line 14, <> line 1.
After regexp '$2' = /
*After split $cid = 130.238.000.00
After split $uid = muse.jhu.edu*

Cheers
Fredrik



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users