Re: [squid-users] Bounces

2018-08-04 Thread login mogin 
Happened to me as well, kind of a gmail <--> lists.squid-cache.org thing I
guess.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Unknown TLS option clientca

2018-07-19 Thread login mogin 
I have just checked with the debug_options and saw that
sslflags=DELAYED_AUTH made it skip the client cert request. Just commented
that on the config and now it works!

Thanks a lot!

Amos Jeffries , 19 Tem 2018 Per, 11:35 tarihinde şunu
yazdı:

> On 18/07/18 23:54, login mogin wrote:
> > Hi there,
> >
> > I have just tried with the patch and it is still not working. Do you
> > want any particular log or debug output?
> >
>
> If you could provide the cache.log output with:
>   debug_options ALL,1 3, 5, 83,9
>
> ... and a full-data packet trace of the TLS handshake.
>
> There may be more clues as to what is happening in there.
>
> (you can post that to me privately if you wish).
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Unknown TLS option clientca

2018-07-18 Thread login mogin 
Hi there,

I have just tried with the patch and it is still not working. Do you want
any particular log or debug output?

Thanks
Logan

login mogin , 17 Tem 2018 Sal, 12:03 tarihinde şunu
yazdı:

> I'll give it a try today and let you know. Thanks a lot.
>
> Logan
>
> Amos Jeffries , 17 Tem 2018 Sal, 08:08 tarihinde
> şunu yazdı:
>
>> On 14/07/18 06:32, login mogin wrote:
>> > Thanks for the help. Now I am not getting any error messages but as you
>> > said I will follow the pull request.
>> >
>>
>> I've now managed to add what I think is the final bit of the fix to that
>> PR. Do you now see it fully working?
>>
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Unknown TLS option clientca

2018-07-17 Thread login mogin 
I'll give it a try today and let you know. Thanks a lot.

Logan

Amos Jeffries , 17 Tem 2018 Sal, 08:08 tarihinde şunu
yazdı:

> On 14/07/18 06:32, login mogin wrote:
> > Thanks for the help. Now I am not getting any error messages but as you
> > said I will follow the pull request.
> >
>
> I've now managed to add what I think is the final bit of the fix to that
> PR. Do you now see it fully working?
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (no subject)

2018-07-13 Thread login mogin 
Hi,

I don’t get why you need a squid box for that purpose. If you have the
private key you could end the traffic on like nginx and just forward it to
saas, while doing that you could log the traffic as you want.

Best
Logan

On Fri, Jul 13, 2018 at 5:34 PM Krystyna Niesiołowska <
krystyna.niesiolow...@interia.pl> wrote:

> Hi All,
>
> In my company, the HR uses an outsourced SaaS (on a unique public IP)
> configured with a commercial SSL certificate (i.e. I have both the private
> and the public key) accessed by our employees via a subdomain of our
> company domain (saas.company.com)  .
> Unfortunately, we cannot control the data being transferred by the HR
> people and because of the GDPR the board wants to be able to get alerts if
> anyone tries to transfer personal data to the cloud + a general channel to
> check against any data exfiltration.
>
> My idea is to set to route all traffic going to sass.company.com via a
> box running Squid with SSL interception. I would like to install the same
> cert as the one used with the SaaS. This is to avoid the need of installing
> any additional certs on use's' machines. Unfortunately, I cannot find an
> option to set Squid with a single commercial cert instead of a CA (commonly
> used to intercept generate individual certs for all of the SSL traffic).
>
> Does anybody have any suggestions on the viable setup?
>
> Best wishes,
>
> Kristin
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Unknown TLS option clientca

2018-07-13 Thread login mogin 
Thanks for the help. Now I am not getting any error messages but as you
said I will follow the pull request.

Best
Logan

On Fri, Jul 13, 2018 at 8:00 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 07/12/2018 11:35 PM, login mogin wrote:
> > Thanks a lot, just tried the patch, sadly still not working.
>
> If you still get "Unknown TLS option" errors when specifying clientca,
> then you may not have rebuilt Squid correctly. If you no longer get
> those errors, but Squid still does not ask the client for the
> certificate, then follow the pull request on GitHub for more
> fixes/updates -- there is more work needed to fix the bug than my
> configuration parsing patch.
>
> https://github.com/squid-cache/squid/pull/252
>
> Alex.
>
>
> > Alex Rousskov, 12 Tem 2018 Per, 22:03
> > tarihinde şunu yazdı:
> >
> > On 07/12/2018 07:58 PM, login mogin wrote:
> > > Or should I report this as a bug?
> >
> > Your call, but it is a bug. You can also try the following _untested_
> > patch: https://github.com/squid-cache/squid/pull/252.patch
> >
> >
> > Good luck,
> >
> > Alex.
> >
> >
> > > On Thu, Jul 12, 2018 at 4:11 AM login mogin wrote:
> > >
> > > Hi,
> > >
> > > We have been using squid 3.5.23 on ubuntu 16 with the
> > configuration
> > > clientca=CERTPATH without any problem. We decided to run the
> new
> > > version squid 4.1 on ubuntu 18 with the same config. But now
> > client
> > > certificate auth is not working anymore and we got this
> message on
> > > debug:
> > >
> > > ERROR: Unknown TLS option 'clientca=/etc/squid/cert/ca/ca.crt'
> > > ...
> > >
> > > Are we missing something
> > > or http://www.squid-cache.org/Doc/config/http_port/ clientca
> > option
> > > is broken?
> > >
> > > By the way we also tried tls-cafile and capath options, we
> didn't
> > > get any error messages with these options but still squid
> > server is
> > > not requesting any client certificate.
> > >
> > > Appreciate the help.
> > >
> > > Regards,
> > > Logan
> > >
> > >
> > >
> > > ___
> > > squid-users mailing list
> > > squid-users@lists.squid-cache.org
> > <mailto:squid-users@lists.squid-cache.org>
> > > http://lists.squid-cache.org/listinfo/squid-users
> > >
> >
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Unknown TLS option clientca

2018-07-12 Thread login mogin 
Thanks a lot, just tried the patch, sadly still not working.

Best
Logan

Alex Rousskov , 12 Tem 2018 Per, 22:03
tarihinde şunu yazdı:

> On 07/12/2018 07:58 PM, login mogin wrote:
> > Or should I report this as a bug?
>
> Your call, but it is a bug. You can also try the following _untested_
> patch: https://github.com/squid-cache/squid/pull/252.patch
>
>
> Good luck,
>
> Alex.
>
>
> > On Thu, Jul 12, 2018 at 4:11 AM login mogin wrote:
> >
> > Hi,
> >
> > We have been using squid 3.5.23 on ubuntu 16 with the configuration
> > clientca=CERTPATH without any problem. We decided to run the new
> > version squid 4.1 on ubuntu 18 with the same config. But now client
> > certificate auth is not working anymore and we got this message on
> > debug:
> >
> > ERROR: Unknown TLS option 'clientca=/etc/squid/cert/ca/ca.crt'
> > ...
> >
> > Are we missing something
> > or http://www.squid-cache.org/Doc/config/http_port/ clientca option
> > is broken?
> >
> > By the way we also tried tls-cafile and capath options, we didn't
> > get any error messages with these options but still squid server is
> > not requesting any client certificate.
> >
> > Appreciate the help.
> >
> > Regards,
> > Logan
> >
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERROR: Unknown TLS option clientca

2018-07-12 Thread login mogin 
Do you guys have any idea on this? Or should I report this as a bug?

On Thu, Jul 12, 2018 at 4:11 AM login mogin  wrote:

> Hi,
>
> We have been using squid 3.5.23 on ubuntu 16 with the configuration
> clientca=CERTPATH without any problem. We decided to run the new version
> squid 4.1 on ubuntu 18 with the same config. But now client certificate
> auth is not working anymore and we got this message on debug:
>
> ERROR: Unknown TLS option 'clientca=/etc/squid/cert/ca/ca.crt'
> ...
>
> Are we missing something or
> http://www.squid-cache.org/Doc/config/http_port/ clientca option is
> broken?
>
> By the way we also tried tls-cafile and capath options, we didn't get any
> error messages with these options but still squid server is not requesting
> any client certificate.
>
> Appreciate the help.
>
> Regards,
> Logan
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] question about squid and https connection .

2018-07-12 Thread login mogin 
Hi Ahmad,

Proxy will just change your ip when you are connecting FB in this way, But
FB probably has or at least should, so many other ways to detect if thats
the same person connecting, just to name one browser based profiling. They
have your user_agent, browser extensions, cookies, etc..
In other words you will have so many other footprints.

Best
Logan

--Ahmad-- , 12 Tem 2018 Per, 15:15 tarihinde şunu
yazdı:

> TAHNK YOU Guys ALL .
>
>
> so my question is in another way is :
>
>
> if i have squid proxy using it using the TCP_Connect way .
>
> and from the same pc and same browser and try to open facebook from 200
> different address .
>
> then facebook wont have a footprint that there is 200 different addresses
> hit FB from the same public key /cert .
>
> i just ant to make sure there is no footprint happen .
>
> thats way i asked .
>
> let me know concerns Guys , thanks alot Guys !
>
> > On 12 Jul 2018, at 23:35, Eliezer Croitoru  wrote:
> >
> > Alex,
> >
> > Just to be sure:
> > Every RSA key and certificate pair regardless to the origin server and
> the SSL-BUMP enabled proxy can be different.
> > If the key would be the exact same one then we will probably have a very
> big security issue/risk to my understanding (leaving aside DH).
> >
> > Will it be more accurate to say that just as long as these 200 squid
> instances(different squid.conf and couple other local variables)
> > use the same exact ssl_db cache directory  then it's probable that they
> will use the same certificate.
> > Or these 200 squid instances are in SMP mode with 200 workers...
> > If these 200 instances do not share memory and certificate cache then
> there is a possibility that the same site from two different sources
> > will serve different certificates(due to the different RSA key which is
> different).
> >
> > Thanks,
> > Eliezer
> >
> > 
> > Eliezer Croitoru
> > Linux System Administrator
> > Mobile: +972-5-28704261
> > Email: elie...@ngtech.co.il
> >
> >
> >
> > -Original Message-
> > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Alex Rousskov
> > Sent: Thursday, July 12, 2018 11:27 PM
> > To: --Ahmad-- ; Squid Users <
> squid-users@lists.squid-cache.org>
> > Subject: Re: [squid-users] question about squid and https connection .
> >
> > On 07/12/2018 01:17 PM, --Ahmad-- wrote:
> >
> >> if i have pc# 1 and that pc open facebook .
> >>
> >> then i have other pc # 2 and that other pc open facebook .
> >>
> >>
> >> now  as we know facebook is https .
> >>
> >> so is the key/ cert that used on pc # 1 is same as cert in pc # 2 to
> decrypt the fb encrypted traffic ?
> >
> > Certificates themselves are not used (directly) to decrypt traffic
> > AFAIK, but yes, both PCs will see the same server certificate (ignoring
> > CDNs and other complications).
> >
> >
> >
> >> now in the presence of squid .
> >>
> >> if i used tcp connect method  , will it be different than above ?
> >
> > If you are not bumping the connection, then both PCs will see the same
> > real Facebook certificate as if those PCs did not use a proxy.
> >
> > If you are bumping the connection, then both PCs will see the same fake
> > certificate generated by Squid.
> >
> >
> >
> >> say i used 200 proxies in same squid machine and i used to access FB
> from the same pc same browser .
> >>
> >> will facebook see my cert/key i used to decrypt its traffic ?
> >
> > If you are asking whether Facebook will know anything about the fake
> > certificate generated by Squid for clients, then the answer is "no,
> > unless Facebook runs some special client code to deliver (Squid)
> > certificate back to Facebook".
> >
> > In general, the origin server assumes that the client is talking to it
> > directly. Clients may pin or otherwise restrict certificates that they
> > trust, but after the connection is successfully established, the server
> > may assume that it is talking to the client directly. A paranoid server
> > may deliver special code to double check that assumption, but there are
> > other, more standard methods to prevent bumping such as certificate
> > pinning and certificate transparency cervices.
> >
> >
> >
> >> is the key/cert of FB to decrypt the https content is same on all
> browsers on all computers ?
> >
> > If you are asking whether the generated certificates are going to be the
> > same for all clients, then the answer is "yes, provided all those 200
> > Squids use the same configuration (including the CA certificate) and
> > receive the same real certificate from Facebook". Squid's certificate
> > generation algorithm generates the same certificate given the same
> > configuration and the same origin server certificate.
> >
> >
> > HTH,
> >
> > Alex.
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> ___
> squid-users mailing list

[squid-users] ERROR: Unknown TLS option clientca

2018-07-12 Thread login mogin 
Hi,

We have been using squid 3.5.23 on ubuntu 16 with the configuration
clientca=CERTPATH without any problem. We decided to run the new version
squid 4.1 on ubuntu 18 with the same config. But now client certificate
auth is not working anymore and we got this message on debug:

ERROR: Unknown TLS option 'clientca=/etc/squid/cert/ca/ca.crt'
...

Are we missing something or http://www.squid-cache.org/Doc/config/http_port/
clientca option is broken?

By the way we also tried tls-cafile and capath options, we didn't get any
error messages with these options but still squid server is not requesting
any client certificate.

Appreciate the help.

Regards,
Logan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users