[squid-users] Question squid on centos 6.5 and poodle

Hi I am trying to reconfig the ssl setup on a reverse proxy set https_port 2.7.3.1:443 accel cert=/etc/httpd/conf.d/office.xyz.com.crt key=/etc/httpd/conf.d/office.xyz.com.key dhparams=/etc/httpd/conf.d/office.xyz.com.dhparam defaultsite=office.yieldbroker.com options=NO_SSLv2,NO_SSLv3 cipher=AL

Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Hi. On 17.10.2014 11:02, Victor Sudakov wrote: > > I am attaching a traffic dump. > > Please look at Frame No. 36, where a ticket is requested for > "HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where > the ticket is granted, but for the wrong principal name. > The thing is, valid e

Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Markus Moeller wrote: > > That sounds a bit strange. Can you capture with wireshark the traffic on > port 88 on the system which has squiduser in the cache ( best after a clear > the cache with kerbtray first) when accessing squid and send it to me as cap > file ? I am attaching a traffic dum

Re: [squid-users] website search broken

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/10/2014 3:42 p.m., James Harper wrote: > Doing a search on the main squid page gives me this: > > The requested URL /cgi-bin/swish-query.cgi was not found on this > server. > > Maybe better doing a google search anyway? Yes, swish has been dow

[squid-users] website search broken

Doing a search on the main squid page gives me this: The requested URL /cgi-bin/swish-query.cgi was not found on this server. Maybe better doing a google search anyway? James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.s

Re: [squid-users] NET::ERR_CERT_COMMON_NAME_INVALID

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/10/2014 1:30 p.m., Robert Watson wrote: > I believe my problem relates to a previous post regarding TLS > fallback > > in the squid-users list. Has there been any progress

Re: [squid-users] NET::ERR_CERT_COMMON_NAME_INVALID

I believe my problem relates to a previous post regarding TLS fallback in the squid-users list. Has there been any progress with sslbump and tls fallback to tls1.0 if tls1.2/tls1.1 fails? On Wed, Oct 15, 2014 at 1:43 PM, Rob

Re: [squid-users] Supported configuration for adding origin server IP in response header

On Thu, Oct 16, 2014 at 1:53 PM, Amos Jeffries wrote: >> I view the Via header as similar to the Received header in SMTP. >> In this case it's added by other proxies/caches, correct? > > Thats a good analogy, but not quite. It MUST be added by all proxies > including Squid. > > http://tools.ietf.o

Re: [squid-users] NET::ERR_CERT_COMMON_NAME_INVALID

And this is the error page Squid generates... The following error was encountered while trying to retrieve the URL: ://204.44.2.199:443 *Failed to establish a secure connection to 204.44.2.199* The system returned: (71) Protocol error (TLS cod

Re: [squid-users] NET::ERR_CERT_COMMON_NAME_INVALID

here is the relevent part of cache.log from a fresh restart and immediately trying to access this https site...getting a fwdNegotiateSSL: Error negotiating SSL connection. *2014/10/16 14:40:07 kid1| Starting Squid Cache version 3.4.8-20140915-r13174 for x86_64-unknown-linux-gnu...* *2014/10/16 14:

Re: [squid-users] DEAD Parent detection

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/10/2014 3:35 a.m., daniel.rie...@gmx.net wrote: > Hi guys, > > I got a problem with DEAD Parent detection. I've configured 2 > parents in squid.conf: > > cache_peer 10.0.0.101 parent 3128 0 default name=TEST1 cache_peer > 10.0.0.102 parent 3128

Re: [squid-users] Supported configuration for adding origin server IP in response header

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/10/2014 9:29 a.m., Darren Spruell wrote: > On Thu, Oct 16, 2014 at 12:40 PM, Amos Jeffries > wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 17/10/2014 8:10 a.m., Darren Spruell wrote: >>> Had a use case to ask about, apologies

Re: [squid-users] Supported configuration for adding origin server IP in response header

On Thu, Oct 16, 2014 at 12:40 PM, Amos Jeffries wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 17/10/2014 8:10 a.m., Darren Spruell wrote: >> Had a use case to ask about, apologies if I missed in docs. Is >> there a configuration that allows squid running as forward proxy to >> ad

Re: [squid-users] Supported configuration for adding origin server IP in response header

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/10/2014 8:10 a.m., Darren Spruell wrote: > Had a use case to ask about, apologies if I missed in docs. Is > there a configuration that allows squid running as forward proxy to > add a custom response header containing the origin server IP > addre

[squid-users] Supported configuration for adding origin server IP in response header

Had a use case to ask about, apologies if I missed in docs. Is there a configuration that allows squid running as forward proxy to add a custom response header containing the origin server IP address that served the resource? Assuming no cache hierarchy. In the event that the resource is served fr

Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Hi Victor, That sounds a bit strange. Can you capture with wireshark the traffic on port 88 on the system which has squiduser in the cache ( best after a clear the cache with kerbtray first) when accessing squid and send it to me as cap file ? Markus "Victor Sudakov" wrote in message n

Re: [squid-users] squid-3.4.8 sslbump breaks facebook

A patch for this bug attached to 4102 bug report. Please test it and report any problem. Regards, Christos On 10/16/2014 12:14 PM, Amm wrote: On 10/16/2014 02:35 PM, Jason Haar wrote: On 16/10/14 20:54, Jason Haar wrote: I also checked the ssl_db/certs dir and removed the facebook certs

Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

This question is neither exactly squid-related nor Heimdal-related, but maybe someone guru could shed some light. I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru". On starting MSIE, some Windows hosts request a ticket for the principal HTTP/proxy.sibptus.transneft.ru" and rec

[squid-users] DEAD Parent detection

Hi guys, I got a problem with DEAD Parent detection. I've configured 2 parents in squid.conf: cache_peer 10.0.0.101 parent 3128 0 default name=TEST1 cache_peer 10.0.0.102 parent 3128 0 name=TEST2 So when the first parent isn't reachable, squid detects this (Detected DEAD Parent: TEST1) and is u

Re: [squid-users] ssl-bump doesn't decrypt https traffic - please help

Hello Strudel, Please remove the 'ssl_bump client-first all' directive from your squid.conf because the 'include "/opt/qlproxy/etc/squid/squid.acl"' already contains 'ssl_bump server-first all' (or should contain). This file is generated from Web UI of Diladele when you click the "enable ssh

Re: [squid-users] ssl-bump doesn't decrypt https traffic - please help

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/10/2014 9:13 p.m., apfelstrudel wrote: > Hello. I am trying to get ssl-bump to decrypt https traffic > transparently so that I could filter out adult videos from youtube > and to globally enforce google safesearch on my network with > diladele we

Re: [squid-users] Unable to display splash page on inactive timeout

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/10/2014 9:29 p.m., santosh wrote: > Hello Amos, > > I'm just trying to create forceful re-authentication , this is just > for curiosity to see how things works by changing the > credentialsttl value in the conf file .I have set it as 2 mnutes >

Re: [squid-users] squid-3.4.8 sslbump breaks facebook

On 10/16/2014 02:35 PM, Jason Haar wrote: On 16/10/14 20:54, Jason Haar wrote: I also checked the ssl_db/certs dir and removed the facebook certs and restarted - didn't help let me rephrase that. I deleted the dirtree and re-ran "ssl_crtd -s /usr/local/squid/var/lib/ssl_db -c" - ie restarted w

Re: [squid-users] squid-3.4.8 sslbump breaks facebook

On 16/10/14 20:54, Jason Haar wrote: > I also checked the ssl_db/certs dir and > removed the facebook certs and restarted - didn't help let me rephrase that. I deleted the dirtree and re-ran "ssl_crtd -s /usr/local/squid/var/lib/ssl_db -c" - ie restarted with an empty cache. It didn't help. It crea

Re: [squid-users] Unable to display splash page on inactive timeout

Hello Amos, I'm just trying to create forceful re-authentication , this is just for curiosity to see how things works by changing the credentialsttl value in the conf file .I have set it as 2 mnutes and below is what it looks in conf file , but i dont get any reprompting for username and password

[squid-users] ssl-bump doesn't decrypt https traffic - please help

Hello. I am trying to get ssl-bump to decrypt https traffic transparently so that I could filter out adult videos from youtube and to globally enforce google safesearch on my network with diladele web safety. I also want to run dansguardian to filter http. I managed to pass https traffic transpa

[squid-users] squid-3.4.8 sslbump breaks facebook

Hi there Weird. sslbump seems to be working well, even intercepts twitter.com fine under FF-33 (with it's pinning support, due to security.cert_pinning.enforcement_level=1) However, facebook.com generates a "sec_error_inadequate_key_usage" error. I cranked up debugging and see this. As you can se