Re: [squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
On 14/11/2015 8:55 a.m., Amos Jeffries wrote: > On 14/11/2015 8:40 a.m., Yuri Voinov wrote: >> >> Netcat plaintext is not HTTPS :) Also via 443 port :) >> > > Thanks Yuri. Can't believe I missed that bit :-0 > > Amos > >> 14.11.15 1:26, Amos Jeffries пишет: >>> On 13/11/2015 10:00 p.m., Tarik Demirci wrote: >>>> Hi, >>>> Did anyone try on_unsupported_protocol for bumped https connections? I >>>> made a simple test with netcat but test failed. Same test is >>>> successful for port 80 (also intercepted by squid). >> >>> HTTPS is a supported protocol. >> >>> Amos > Hi again, I did more detailed tests for this case. Constructing a tcp-in-https connection results with error ERR_PROTOCOL_UNKNOWN in spite of "on_unsupported_protocol tunnel all" conf directive. Is this a Squid bug? Doc for on_unsupported_protocol says it works for bumped tunnels but I can't confirm this in any way. I debugged the code and it fails in a check in clientTunnelOnError function. By the time Squid understands it's not http inside https, conn->nrequests value is 2. So conn->nrequests <= 1 check fails. Here how I did the test: - Install stunnel to both 'Netcat Server' and 'Client'. - Add Issuer CA of the stunnel certificate to trusted authorities of 'Squid Box'. - Open a tcp connection with netcat through stunnel. This results with familiar ERR_PROTOCOL_UNKNOWN. Note: I'm confident that https setup is correct because redirecting traffic to nginx instead of netcat results with a successfull connection. Thanks, -- Tarık Demirci ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] on_unsupported_protocol doesn't work for bumped https connecttions
Hi, Did anyone try on_unsupported_protocol for bumped https connections? I made a simple test with netcat but test failed. Same test is successful for port 80 (also intercepted by squid). Netcat Server --- Squid Box --- Client On Client: echo "" | nc 10.50.13.1 443 *** On Netcat Server: nc -kl 443 *** On Squid Box: squid.conf: https_port 8443 intercept ssl-bump \ cert=/etc/squid/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all ssl_bump bump step2 all on_unsupported_protocol tunnel all access.log: 1447235165.673 9 10.41.0.100 NONE/200 0 CONNECT 10.50.13.1:443 - HIER_NONE/- - -- Tarık Demirci ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] [feature request] Websocket Support for Intercept Mode
Hello, Is there any plan to add support for websocket when using intercept mode? Currently, I use SslPeekAndSplice feature but this brokes many websites using websocket (one example is web.whatsapp.com). As a workaround, after peeking at step 1, splicing problematic sites and bumping the rest works. But maintaining this list is tiring and I can't use content filtering for these sites. It would be much better if squid had support for websocket. Related issue: http://bugs.squid-cache.org/show_bug.cgi?id=4349 -- Tarık Demirci ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users