Re: [squid-users] how to configure squid to check server certificate?
On 2/03/20 11:32 am, GeorgeShen wrote: > > Sorry, I should have said 'Trusted self-signed' CA vs non-Trusted. I was in > one enterprise, they use proxy server, when I went to a non-trusted CA > server, I got TLS handshaking error; but it worked fine when going to a > 'trusted' CA server. And I know my connection on the proxy was not a > SSL-Bump. I was trying to see how does the proxy server decide a server is a > trusted, vs non-trusted in splice. If I were going to implement this on the > squid, how to configure such a policy. > *IF* that error was from the proxy and the proxy was a Squid, then it can be done at step 3 with a helper after a peek or stare at step 2. There should not need to be anything configured though. Rejecting unknown root CAs is how TLS is designed to work. With splice the error should be produced by your UA/Browser. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] how to configure squid to check server certificate?
Sorry, I should have said 'Trusted self-signed' CA vs non-Trusted. I was in one enterprise, they use proxy server, when I went to a non-trusted CA server, I got TLS handshaking error; but it worked fine when going to a 'trusted' CA server. And I know my connection on the proxy was not a SSL-Bump. I was trying to see how does the proxy server decide a server is a trusted, vs non-trusted in splice. If I were going to implement this on the squid, how to configure such a policy. thanks. George -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Invalid URL when trying to access cachemgr
On 29/02/20 4:11 pm, Scott wrote: > Hi all, > > I have three squid proxies, two of which respond normally to cachemgr > requests: > > # printf "GET cache_object://localhost/info HTTP/1.0\r\n\r\n" | nc HOSTNAME > 3128 > > The third proxy however returns an html error page: > Which Squid version is this one? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Invalid URL when trying to access cachemgr
Hi all, I have three squid proxies, two of which respond normally to cachemgr requests: # printf "GET cache_object://localhost/info HTTP/1.0\r\n\r\n" | nc HOSTNAME 3128 The third proxy however returns an html error page: ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: cache_object://localhost/info I have tried replacing `localhost' with the visible_hostname to no avail. Does anyone have any clues as to why this may be? Thanks, Scott ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and DoH
On 2020-02-29 10:19, Amos Jeffries wrote: With ACL that identify the relevant messages: acl dns-query-url urlpath_regex ^/dns-query\?? acl dns-req-message req_header Content-Type ^application/dns-message$ acl doh_request any-of dns-query-url dns-req-message acl doh_reply rep_header Content-Type ^application/dns-message$ Thanks a lot. I thought maybe there was a specific ready-made keyword, but the above is fine. bye av. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and DoH
On 2020-02-29 14:17, Matus UHLAR - fantomas wrote: I guess DoH means dns over https and thus needs sslbump enabled. the easy but limited way would be to disable connections to publicly available DoH servers. Thanks. Is someone maintaining such a list? bye av. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] how to configure squid to check server certificate?
On 1/03/20 3:57 pm, GeorgeShen wrote: > > Is there a way, not using ssl-bump, on squid to verify the remote server has > the certificate signed by some well-known CA or self-signed? What are you trying to do exactly? All root CAs are self-signed, even the "well-known" ones. It is just a matter of who did the self-sign. So the answer you need may be one of several things - which may not even involve cert inspection. > does that > change if the server is running TLS 1.2 or 1.3? > No. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users