subject:"Re\: \[squid\-users\] Trusted CA Certificate with ssl

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-15 Thread Yuri Voinov



15.11.2016 20:22, Sergio Belkin пишет:
> Hi,
>
> When using something like that:
>
> http_port 8080 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/proxy/ssl_cert/example.com.cert
> key=/home/proxy/ssl_cert/example.com.private
>
>
> Is possible to use a certificate generated by a trusted CA?
No.

In theory, if you can to force trusted CA to issue subordinate
intermediate CA personally to you - yes, it possible. But to force
trusted CA to issue subordinate CA personally to you is not possible due
to trusted CA's CPS. To do this you should be trusted CA youself. I.e.:
Pass audit, has PKI infrastructure, has much money and blah-blah-blah.

So, you can't do SSL bump without users notification.
>
>
> Thanks in advance!
> -- 
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Cats - delicious. You just do not know how to cook them.


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-15 Thread Alex Crow


On 15/11/16 14:22, Sergio Belkin wrote:

Hi,

When using something like that:

http_port 8080 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB 
cert=/home/proxy/ssl_cert/example.com.cert 
key=/home/proxy/ssl_cert/example.com.private



Is possible to use a certificate generated by a trusted CA?


Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org


If you mean a normal commercial CA, then no, because you would need the 
CA's signing key, which I very much doubt they would give you, and your 
cert would need to have signing capability, which it won't.


Cheers

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-15 Thread Alex Crow




On 15/11/16 14:28, Yuri Voinov wrote:



So, you can't do SSL bump without users notification.


You can if you have control over the clients, ie install your CA into 
the browser/OS.


Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-15 Thread Yuri Voinov



15.11.2016 20:43, Alex Crow пишет:
>
>
> On 15/11/16 14:28, Yuri Voinov wrote:
>>
>>
>> So, you can't do SSL bump without users notification.
>
> You can if you have control over the clients, ie install your CA into
> the browser/OS.
... and this can be illegal ;)
>
> Alex
> -- 
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must
> not
> be used as a substitute for obtaining tax, regulatory, investment,
> legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
> 7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Cats - delicious. You just do not know how to cook them.


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-15 Thread Alex Crow


On 15/11/16 16:22, Yuri Voinov wrote:



You can if you have control over the clients, ie install your CA into
the browser/OS.

... and this can be illegal ;)



YMMV (depending on where you live/work)!
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-15 Thread Yuri Voinov



15.11.2016 22:28, Alex Crow пишет:
> On 15/11/16 16:22, Yuri Voinov wrote:
>>
>>> You can if you have control over the clients, ie install your CA into
>>> the browser/OS.
>> ... and this can be illegal ;)
>>
>
> YMMV (depending on where you live/work)!
AFAIK Spying for users without they agreement illegal anywhere.
> -- 
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must
> not
> be used as a substitute for obtaining tax, regulatory, investment,
> legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
> 7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Cats - delicious. You just do not know how to cook them.


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Patrick Chemla


Hi,

I have same problem, and I need to use trusted CA certificates, so what 
is the solution?


I have a squid 3.5.20 used for multiple domains, multiple backends, 
using both HTTP and HTTPS.


Actually, the HTTP configuration is OK, the backends are OK with HTTPS, 
trusted certificates, verified with wget https://.


acls rules are OK, sending each request according to the domain to the 
right backend.


I need to add trusted certificates for some domains. I found that I 
could do that using http_port XXX.XXX.XXX.XXX:443 where I have different 
IPs, each by certicate.


But I must say that I am really lost in all options,  I have googled for 
days, I tried a lot of settings ssl_bump, intercept, self-signed 
certificates, Trusted certificates,, I saw differences between old 
versions and 3.5, and I can't make any working..


So questions:

1/ Should I set up the squid certificate with ONLY self-signed, or there 
is a way to use Trusted certificates? So if only self-signed, the user 
will be always forced to accept the self-signed certificate on first 
time? not really good for commercial sites.


2/ Should the backend cache_peer set as ssl on port 443, or could it be 
simple http 80 (backends are internal VMs onto the same server, no 
external network between squid and backends)?


3/ Will the acls rules work OK to affect each request to the right 
backend according to domain, even in HTTPS?


4/ Do you know some clear and easy howto, examples, for such settings, 
from where I could get how to do?


Thanks for help
Patrick

Le 15/11/2016 à 18:30, Yuri Voinov a écrit :


15.11.2016 22:28, Alex Crow пишет:

On 15/11/16 16:22, Yuri Voinov wrote:

You can if you have control over the clients, ie install your CA into
the browser/OS.

... and this can be illegal ;)


YMMV (depending on where you live/work)!

AFAIK Spying for users without they agreement illegal anywhere.

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute
advice.
The information provided is correct to our knowledge & belief and must
not
be used as a substitute for obtaining tax, regulatory, investment,
legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Alex Crow

That's why you gain their consent when they sign their employment contract.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Alex Crow

I'm not sure what you are trying to do. It sounds like you're running a reverse 
proxy, which has nothing to do with SSL bump or peek/splice.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Amos Jeffries

On 16/11/2016 9:11 p.m., Patrick Chemla wrote:
> Hi,
> 
> I have same problem, and I need to use trusted CA certificates, so what
> is the solution?

Not to do illegal bad things that violate your contract with the CA.

Any CA which lets you intercept traffic by generating sub-certificates
with their root *will* be blacklisted and effectively "thrown off the
Internet". It has happened already for several CA who thought that was
an idle threat.

> 
> I have a squid 3.5.20 used for multiple domains, multiple backends,
> using both HTTP and HTTPS.

As Alex said, what you describe here sounds a lot more like
reverse-proxy than interception.

Sergey who started this thread was intercepting HTTPS traffic sent by
clients to an explicit proxy. All answers so far have been about that
topic, which is probably *not* what you are facing.

The configurations and limitations are very different. So first thing to
do is be clear about what actually you are trying to do.

> So questions:
> 
> 1/ Should I set up the squid certificate with ONLY self-signed, or there
> is a way to use Trusted certificates? So if only self-signed, the user
> will be always forced to accept the self-signed certificate on first
> time? not really good for commercial sites.
> 

Are you the owner of the website(s) or an authorized CDN/Hosting
provider for them ?

> 2/ Should the backend cache_peer set as ssl on port 443, or could it be
> simple http 80 (backends are internal VMs onto the same server, no
> external network between squid and backends)?
> 

That depends on your answer to the above.

> 3/ Will the acls rules work OK to affect each request to the right
> backend according to domain, even in HTTPS?
> 

Yes. But the detail may not be what you expect. It depends on the above
answers.

> 4/ Do you know some clear and easy howto, examples, for such settings,
> from where I could get how to do?
> 

 contains all of the
configurations you might need. But which one(s) are correct for you
depends on what you are actually needing to do.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Patrick Chemla

Thanks for your answers, I am not doing anything illegal, I am trying to 
build a performant platform.


I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some 
websites, and squid help me to send the traffic to the destination 
website on the internal VM according to the URL.


Some VMs are paired, so squid will loadbalance the traffic on group of 
VMs according to the URL/acls.


All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I 
need to use different IPs:443 to be able to use different certificates.


I tried many times in the past to make squid working in SSL and never 
succeed because of so many options, and this question: Does the traffic 
between squid and the backend should be SSL? If yes, it's OK for me. 
nothing illegal.


The second question: How to set up the SSL link on squid getting the SSL 
request and sending to the backend. Actually the backend can handle SSL 
traffic, it's OK for me if I find the way to make squid handle the 
traffic, according to the acls. squid must decrypt the request, compute 
the acls, then re-crypt to send to the backend.


The reason I asked not to reencrypt is because of performances. All this 
is on the same server, from the host to the VMs and decrypt, the 
reencrypt, then decrypt will be ressources consumming. But I can do it 
like that.


Now, do you have any Howto, clear, that will help? I found many on 
Google and not any gave me the solution working.


The other question is about Trusted Certificates. We have on the 
websites trusted certificates. Should we use the same on the squid?


Thanks for appeciate help

Patrick



Le 16/11/2016 à 14:27, Amos Jeffries a écrit :

On 16/11/2016 9:11 p.m., Patrick Chemla wrote:

Hi,

I have same problem, and I need to use trusted CA certificates, so what
is the solution?

Not to do illegal bad things that violate your contract with the CA.

Any CA which lets you intercept traffic by generating sub-certificates
with their root *will* be blacklisted and effectively "thrown off the
Internet". It has happened already for several CA who thought that was
an idle threat.


I have a squid 3.5.20 used for multiple domains, multiple backends,
using both HTTP and HTTPS.

As Alex said, what you describe here sounds a lot more like
reverse-proxy than interception.

Sergey who started this thread was intercepting HTTPS traffic sent by
clients to an explicit proxy. All answers so far have been about that
topic, which is probably *not* what you are facing.

The configurations and limitations are very different. So first thing to
do is be clear about what actually you are trying to do.



So questions:

1/ Should I set up the squid certificate with ONLY self-signed, or there
is a way to use Trusted certificates? So if only self-signed, the user
will be always forced to accept the self-signed certificate on first
time? not really good for commercial sites.


Are you the owner of the website(s) or an authorized CDN/Hosting
provider for them ?



2/ Should the backend cache_peer set as ssl on port 443, or could it be
simple http 80 (backends are internal VMs onto the same server, no
external network between squid and backends)?


That depends on your answer to the above.


3/ Will the acls rules work OK to affect each request to the right
backend according to domain, even in HTTPS?


Yes. But the detail may not be what you expect. It depends on the above
answers.


4/ Do you know some clear and easy howto, examples, for such settings,
from where I could get how to do?


 contains all of the
configurations you might need. But which one(s) are correct for you
depends on what you are actually needing to do.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Alex Crow

On 16/11/16 17:33, Patrick Chemla wrote:
> Thanks for your answers, I am not doing anything illegal, I am trying to
> build a performant platform.
> 
> I have a big server running about 10 different websites.
> 
> I have on this server virtual machines, each specialized for one-some
> websites, and squid help me to send the traffic to the destination
> website on the internal VM according to the URL.
> 
> Some VMs are paired, so squid will loadbalance the traffic on group of
> VMs according to the URL/acls.
> 
> All this works in HTTP, thanks to Amos advices few weeks ago.
> 
> Now, I need to set SSL traffic, and because the domains are different I
> need to use different IPs:443 to be able to use different certificates.
> 
> I tried many times in the past to make squid working in SSL and never
> succeed because of so many options, and this question: Does the traffic
> between squid and the backend should be SSL? If yes, it's OK for me.
> nothing illegal.
> 
> The second question: How to set up the SSL link on squid getting the SSL
> request and sending to the backend. Actually the backend can handle SSL
> traffic, it's OK for me if I find the way to make squid handle the
> traffic, according to the acls. squid must decrypt the request, compute
> the acls, then re-crypt to send to the backend.
> 
> The reason I asked not to reencrypt is because of performances. All this
> is on the same server, from the host to the VMs and decrypt, the
> reencrypt, then decrypt will be ressources consumming. But I can do it
> like that.
> 
> Now, do you have any Howto, clear, that will help? I found many on
> Google and not any gave me the solution working.
> 
> The other question is about Trusted Certificates. We have on the
> websites trusted certificates. Should we use the same on the squid?
> 
> Thanks for appeciate help
> 
> Patrick
> 
> 

You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all the
certs you need.

See:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each domain and
set up multiple https_port with a different listening IP for each site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.

Here's a couple more:

http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )

http://www.squid-cache.org/Doc/config/https_port/

That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-16 Thread Patrick Chemla

Many Thanks Alex. I will try in the next hours and let you if I am 
successful.


Patrick


Le 16/11/2016 à 20:04, Alex Crow a écrit :


On 16/11/16 17:33, Patrick Chemla wrote:

Thanks for your answers, I am not doing anything illegal, I am trying to
build a performant platform.

I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some
websites, and squid help me to send the traffic to the destination
website on the internal VM according to the URL.

Some VMs are paired, so squid will loadbalance the traffic on group of
VMs according to the URL/acls.

All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I
need to use different IPs:443 to be able to use different certificates.

I tried many times in the past to make squid working in SSL and never
succeed because of so many options, and this question: Does the traffic
between squid and the backend should be SSL? If yes, it's OK for me.
nothing illegal.

The second question: How to set up the SSL link on squid getting the SSL
request and sending to the backend. Actually the backend can handle SSL
traffic, it's OK for me if I find the way to make squid handle the
traffic, according to the acls. squid must decrypt the request, compute
the acls, then re-crypt to send to the backend.

The reason I asked not to reencrypt is because of performances. All this
is on the same server, from the host to the VMs and decrypt, the
reencrypt, then decrypt will be ressources consumming. But I can do it
like that.

Now, do you have any Howto, clear, that will help? I found many on
Google and not any gave me the solution working.

The other question is about Trusted Certificates. We have on the
websites trusted certificates. Should we use the same on the squid?

Thanks for appeciate help

Patrick



You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all the
certs you need.

See:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each domain and
set up multiple https_port with a different listening IP for each site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.

Here's a couple more:

http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )

http://www.squid-cache.org/Doc/config/https_port/

That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-17 Thread Patrick Chemla


Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

==
debug_options   ALL,1  33,2 28,9

http_port 5.39.105.241:443 accel defaultsite=www.sempli.com 
cert=/etc/squid/ssl/sempli.com.crt key=/etc/squid/ssl/sempli.com.key


cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP1
cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP2


acl w3_sempli dstdomain .sempli.com
cache_peer_access SEMP1 allow w3_sempli
cache_peer_access SEMP1 deny all

http_access allow w3_sempli

=

$ wget https://www.sempli.com
--2016-11-17 19:34:49--  https://www.sempli.com/
Résolution de www.semplitech.com (www.sempli.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com 
(www.sempli.com)|xxx.xxx.xxx.xxx|:443… connecté.

OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.

Same error with the browser
=
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE


===
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: 
id=0xf55ca8ed404 query ARP table
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: 
id=0xf55ca8ed404 query ARP on each interface (480 found)
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface lo
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:1
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:4
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:5
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:6
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:7
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:8
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface virbr0
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup: 
id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583) 
clientProcessRequest: clientProcessRequest: Invalid Request
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong: 
local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck: 
0x78737acd23c0 checking fast ACLs
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
access_log daemon:/var/log/squid/access.log
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
(access_log daemon:/var/log/squid/access.log line)
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: 
(access_log daemon:/var/log/squid/access.log line) = 1
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: 
access_log daemon:/var/log/squid/access.log = 1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished: 
0x78737acd23c0 answer ALLOWED f

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-17 Thread Patrick Chemla



Hi Alex, sorry for disturbing, but it works with

https_port 5.39.105.241:443 accel defaultsite=www.sempli.com 
cert=/etc/squid/ssl/sempli.com.crt key=/etc/squid/ssl/sempli.com.key


Many, many, many Thanks for valuable help.

Patrick
Le 17/11/2016 à 19:48, Patrick Chemla a écrit :

Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

==
debug_options   ALL,1  33,2 28,9

http_port 5.39.105.241:443 accel defaultsite=www.sempli.com 
cert=/etc/squid/ssl/sempli.com.crt 
key=/etc/squid/ssl/sempli.com.key


cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP1
cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP2


acl w3_sempli dstdomain .sempli.com
cache_peer_access SEMP1 allow w3_sempli
cache_peer_access SEMP1 deny all

http_access allow w3_sempli

=

$ wget https://www.sempli.com
--2016-11-17 19:34:49--  https://www.sempli.com/
Résolution de www.semplitech.com (www.sempli.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com 
(www.sempli.com)|xxx.xxx.xxx.xxx|:443… connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol

Incapable d'établir une connexion SSL.

Same error with the browser
=
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE


===
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: 
id=0xf55ca8ed404 query ARP table
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: 
id=0xf55ca8ed404 query ARP on each interface (480 found)
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface lo
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:1
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:4
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:5
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:6
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:7
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:8
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface virbr0
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup: 
id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583) 
clientProcessRequest: clientProcessRequest: Invalid Request
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong: 
local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck: 
0x78737acd23c0 checking fast ACLs
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
access_log daemon:/var/log/squid/access.log
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
(access_log daemon:/var/log/squid/access.log line)
2016/11/17 18:35:30.753 kid1| 28,3| A

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-17 Thread Alex Crow

On 17/11/16 18:11, Patrick Chemla wrote:
>
> Hi Alex, sorry for disturbing, but it works with
>
> https_port 5.39.105.241:443 accel defaultsite=www.sempli.com
> cert=/etc/squid/ssl/sempli.com.crt
> key=/etc/squid/ssl/sempli.com.key
>
> Many, many, many Thanks for valuable help.
>
> Patrick

No problem.

I think we all tend to overthink things until we've got used to them.
Glad you got it sorted.

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-21 Thread Patrick Chemla


Hi Alex, and all others

No I have set it for multiple domains, and it works really fine. Again 
many thanks.


But I have a new demand:

Within one of the sites, where squid handles the https connexion then 
communicate with internal VM through http, there is one (at least, maybe 
we will find others), I don't kmow why, but the dev want them http only.


When I come to the menu to this page, the app returns a http:// link to 
squid. Squid encrypts and send a https:// to the browser., but then when 
the user hit the link, somme of the components of the page should stay 
http://, and there the browser detects a https page with http components 
embeded, and block them.


Is there a way to tell squid to let http some link?

My domain is domain.tld:

the browser ask for https://domain.tld

squid decrypt, recognize this domain, according to acl goes to the VM1, 
in http:// mode, not crypted.


The site on VM1, return a page in http:// mode, with all links as http 
too,  and squid send it back crypted to the browser with all links 
embeded in https://


I want a special link on the page http://domain.tld/special/ to stay http.

How I can instruct squid to leave it as it is, but all others?

Thanks

Patrick


Le 17/11/2016 à 20:11, Patrick Chemla a écrit :


Hi Alex, sorry for disturbing, but it works with

https_port 5.39.105.241:443 accel defaultsite=www.sempli.com 
cert=/etc/squid/ssl/sempli.com.crt 
key=/etc/squid/ssl/sempli.com.key


Many, many, many Thanks for valuable help.

Patrick
Le 17/11/2016 à 19:48, Patrick Chemla a écrit :

Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

==
debug_options   ALL,1  33,2 28,9

http_port 5.39.105.241:443 accel defaultsite=www.sempli.com 
cert=/etc/squid/ssl/sempli.com.crt 
key=/etc/squid/ssl/sempli.com.key


cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP1
cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP2


acl w3_sempli dstdomain .sempli.com
cache_peer_access SEMP1 allow w3_sempli
cache_peer_access SEMP1 deny all

http_access allow w3_sempli

=

$ wget https://www.sempli.com
--2016-11-17 19:34:49--  https://www.sempli.com/
Résolution de www.semplitech.com (www.sempli.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com 
(www.sempli.com)|xxx.xxx.xxx.xxx|:443… connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol

Incapable d'établir une connexion SSL.

Same error with the browser
=
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE


===
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: 
id=0xf55ca8ed404 query ARP table
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: 
id=0xf55ca8ed404 query ARP on each interface (480 found)
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface lo
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:1
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:4
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:5
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:6
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:7
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:8
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.c

Re: [squid-users] Trusted CA Certificate with ssl_bump

2016-11-21 Thread Amos Jeffries

On 21/11/2016 11:44 p.m., Patrick Chemla wrote:
> Hi Alex, and all others
> 
> No I have set it for multiple domains, and it works really fine. Again
> many thanks.
> 
> But I have a new demand:
> 
> Within one of the sites, where squid handles the https connexion then
> communicate with internal VM through http, there is one (at least, maybe
> we will find others), I don't kmow why, but the dev want them http only.
> 
> When I come to the menu to this page, the app returns a http:// link to
> squid. Squid encrypts and send a https:// to the browser.,

No. Squid does nothing to the response payload.

What you are seeing as a "problem" is a natural side effect of telling
the origin server it is being contacted over plain-text HTTP.


> but then when
> the user hit the link, somme of the components of the page should stay
> http://, and there the browser detects a https page with http components
> embeded, and block them.
> 
> Is there a way to tell squid to let http some link?
> 

Squid is not doing anything to page links.


> My domain is domain.tld:
> 
> the browser ask for https://domain.tld
> 
> squid decrypt, recognize this domain, according to acl goes to the VM1,
> in http:// mode, not crypted.
> 
> The site on VM1, return a page in http:// mode, with all links as http
> too,  and squid send it back crypted to the browser with all links
> embeded in https://

No. You have misunderstood what is going on:

- the browser contacts domain.tld on port 443 using TLS. sends a request
for domain.tld with some path.

- squid receives on port 443 and terminates/decrypts the TLS. finding
the HTTP messge inside requesting domain.tld with some path.

- squid contacts the VM1 and requests domain.tld with some path.

- the server produces some response+payload (HTTP payload is always
opaque data N bytes long).

- squid delivers the response message+payload back to browser over the
TLS connection.

That is *all* that happens.

> 
> I want a special link on the page http://domain.tld/special/ to stay http.
> 
> How I can instruct squid to leave it as it is, but all others?

Squid is already not touching it.

Squid by design does only the *transfer* (HTTP, HTTPS, etc) part of
transferring objects around. It intentionally does not to change what
those objects are.


The browser has been coded or configured to place unusual and painful
restrictions on what its user can do with it.

 - the browser could stop being so restrictive in the things it allows
its user to do. This kind of mix-match of URLs is common on the Internet.

 - the origin server could be "fixed" to use relative URLs instead of
absolute. Either relative-path or relative-scheme are easily done.

 - you might use ICAP/eCAP service(s) to transcode the response objects
internal strings. But that is very difficult to get right, so there will
always be some problems ocuring.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

Re: [squid-users] Trusted CA Certificate with ssl_bump

18 matches

Site Navigation

Mail list logo

Footer information