Re: [squid-users] SSL Peek and Splice with SIP over TCP
On 10/03/2016 2:35 p.m., Eliezer Croitoru wrote: > On 09/03/2016 21:31, Jason Haar wrote: >> Or use socat. I have used it to allow ancient SSLv3-only clients to >> communicate with TLS-only servers. >> >> Jason > > Would it be possible to put haproxy as a SSL termination proxy and pass > the TCP request to squid? which will results in a similar situation to > socks? HAProxy is another HTTP proxy. The problem is not the TLS. But the SIP != HTTP factoid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL Peek and Splice with SIP over TCP
On 09/03/2016 21:31, Jason Haar wrote: Or use socat. I have used it to allow ancient SSLv3-only clients to communicate with TLS-only servers. Jason Would it be possible to put haproxy as a SSL termination proxy and pass the TCP request to squid? which will results in a similar situation to socks? Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL Peek and Splice with SIP over TCP
Or use socat. I have used it to allow ancient SSLv3-only clients to communicate with TLS-only servers. Jason On Thu, Mar 10, 2016 at 12:28 AM, Amos Jeffries wrote: > On 9/03/2016 6:53 p.m., Howard Kranther wrote: > > Hello, I am investigating the use of squid as a client side proxy to > > provide TLS 1.2 support for a VOIP application using SIP over TCP.The > > application would use TCP or TLS 1.0 to communicate with squid, which > > would bump either of those to TLS 1.2 to communicate with a phone > > system.The application uses a commercial SIP stack so adding an HTTP > > CONNECT message to the start of a SIP session and processing the > > response is problematic. > > Squid is an HTTP proxy. CONNECT is the only way non-HTTP compatible > protocols can be delivered over HTTP. > > You need to go looking for a SOCKS proxy. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL Peek and Splice with SIP over TCP
On 9/03/2016 6:53 p.m., Howard Kranther wrote: > Hello, I am investigating the use of squid as a client side proxy to > provide TLS 1.2 support for a VOIP application using SIP over TCP.The > application would use TCP or TLS 1.0 to communicate with squid, which > would bump either of those to TLS 1.2 to communicate with a phone > system.The application uses a commercial SIP stack so adding an HTTP > CONNECT message to the start of a SIP session and processing the > response is problematic. Squid is an HTTP proxy. CONNECT is the only way non-HTTP compatible protocols can be delivered over HTTP. You need to go looking for a SOCKS proxy. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL Peek and Splice with SIP over TCP
Hello, I am investigating the use of squid as a client side proxy to provide TLS 1.2 support for a VOIP application using SIP over TCP.The application would use TCP or TLS 1.0 to communicate with squid, which would bump either of those to TLS 1.2 to communicate with a phone system.The application uses a commercial SIP stack so adding an HTTP CONNECT message to the start of a SIP session and processing the response is problematic.squid would be co resident on each system hosting a SIP client.Can this be done? Is there any other way to do this with squid? Thanks,Howard Kranther ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL Peek and Splice
On Thu, 2015-10-01 at 13:26 +0200, Job wrote: > Hello, > > by reading the 3.5 Squid verson "Peek and splice" features: > http://wiki.squid-cache.org/Features/SslPeekAndSplice > > i would like to ask you two questions, please: > > 1. in this implementations, i have to install the selfmade Certification > Authority as for SSL Bump? > 2. how can i block domain (dstdomain with squid) with Peek and Splice? It > seems not possible by reading the document > > Thank you for your patience and many thanks! > > Francesco > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users I've found that with peek/splice, instead of stare/bump, I did not need to install the certificate on the end device (daughter got a new phone and I forgot to install it...still worked anyway...cool). Config below for exactly what you're wanting...change netblocks to what you're using and change cert locations and what not. Before just doing a copy/paste and go, I would recommend reading the docs to get a better understanding of what the below directives mean. The file http_url.txt is regex so it will have entries like \.apple\.com. acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports http_access allow SSL_ports http_access allow allowed_http_sites http_access deny all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek all acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice allowed_https_sites ssl_bump terminate all sslproxy_capath /etc/ssl/certs sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 http_port 3128 intercept https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni % ssl::>cert_subject %>Hs %___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL Peek and Splice
01.10.15 17:26, Job пишет: Hello, by reading the 3.5 Squid verson "Peek and splice" features: http://wiki.squid-cache.org/Features/SslPeekAndSplice i would like to ask you two questions, please: 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump? Yes. 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document Not only by dstdomain, but also with external redirectors: http://i.imgur.com/nXOtDPX.png Thank you for your patience and many thanks! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL Peek and Splice
Hello, by reading the 3.5 Squid verson "Peek and splice" features: http://wiki.squid-cache.org/Features/SslPeekAndSplice i would like to ask you two questions, please: 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump? 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document Thank you for your patience and many thanks! Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users