On 3/02/2017 10:19 a.m., Vieri wrote:
> Hi,
>
> Are the following two lines equivalent?
>
> https_port ... options=NO_SSLv3,NO_SSLv2,NO_TLSv1_1,NO_TLSv1
>
> https_port ... tls-min-version=1.2
>
Not quite. SSL is still handled specially by options=.
The top line is equivalent to:
On 02/02/2017 04:43 PM, salil GK wrote:
> we provide an interface for the admin to set
> whether forward proxy is enabled or not - and also specify which all
> peers need to be involved in the squid chaining ( parent child ). If I
> have say 4 machines - A,B,C and D. Admin can decide machine A
On Thu, Feb 2, 2017 at 3:51 PM, Amos Jeffries wrote:
> On 3/02/2017 7:56 a.m., tmb...@gmail.com wrote:
> > asnani_satish wrote
> >> This happens when size specified in cache_mem >= cache_dir
> >> Example:
> >> cache_dir aufs /var/spool/squid 1000 32 512
> >>implies 1000
On 3/02/2017 7:56 a.m., tmb...@gmail.com wrote:
> asnani_satish wrote
>> This happens when size specified in cache_mem >= cache_dir
>> Example:
>> cache_dir aufs /var/spool/squid 1000 32 512
>>implies 1000 MB physical disk space allotted for cache in specified
>> directory
>> cache_mem 900
Hello Alex
Thanks for the reply
what happens is - we provide an interface for the admin to set whether
forward proxy is enabled or not - and also specify which all peers need to
be involved in the squid chaining ( parent child ). If I have say 4
machines - A,B,C and D. Admin can decide
On 3/02/2017 1:43 a.m., angelv wrote:
> On Thu, Feb 2, 2017 at 4:37 AM, Amos Jeffries wrote:
>
>> On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
>>> So we can't even use the free certs from letsencrypt with Squid??
>>>
>>
>> Not for MITM / SSL-Bump no.
>>
>> The very
On 3/02/2017 3:16 a.m., creditu wrote:
> I have seen the use of deny_info done a few ways in regard to the
> placement of the htttp_access line:
>
> acl www dstdomain www.example.com
>
> deny_info http://www.other.com www
> http_access deny www
>
> Or
>
> http_access deny www
> deny_info
lol
mostly of this ar wen vary changed lol
wen they work on vary as it should be then most of those msg will go away
not 100% but most of them
im not going into detail but its the vary in header
--
View this message in context:
On 02/01/2017 12:06 AM, salil GK wrote:
> I need to know whether the connectivity is through from squid
> child to squid parent.
...
> I need to know in both machines that the squid channel is active.
...
> if the heartbeat is exchanged successfully !!
It is not clear what you mean by
Hi,
Are the following two lines equivalent?
https_port ... options=NO_SSLv3,NO_SSLv2,NO_TLSv1_1,NO_TLSv1
https_port ... tls-min-version=1.2
Thanks,
Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
asnani_satish wrote
> This happens when size specified in cache_mem >= cache_dir
> Example:
> cache_dir aufs /var/spool/squid 1000 32 512
>implies 1000 MB physical disk space allotted for cache in specified
> directory
> cache_mem 900 MB
>cache size to be used by squid which must be less
You are not alone but you first need to define and understand your goals in a
more technical way.
Squid can understand HTTP TLS\SSL IP and LAYER 2 MAC address.
If in one of these you can recognize that the client needs to be bypassed from
SSL BUMP or interception in general you would be able to
On 02.02.2017 00:45, Yuri Voinov wrote:
Yes, it is require to perform extended diagnostics. Including the system
level.
BTW, it can also network IO. And, it is possible that even a slow DNS.
Have to search.
squid-3.5.23 or squid-3.5.24 with bug-4606-v3.patch
I have seen the use of deny_info done a few ways in regard to the
placement of the htttp_access line:
acl www dstdomain www.example.com
deny_info http://www.other.com www
http_access deny www
Or
http_access deny www
deny_info http://www.other.com www
The example on the squid acl page uses the
- Original Message -
From: Amos Jeffries
> Renegotiating to an insecure version or cipher set is an issue to be
> fixed by configuring tls-min-version=1.Y and tls-options= disabling
> unwanted ciphers etc.
>
> The potential DoS related to renegotiation is now
On 3/02/2017 2:09 a.m., Vieri wrote:
> Hi,
>
> I'm running Squid 4 beta.
>
> # squid -v
> Squid Cache: Version 4.0.17-20170122-r14968
>
> I tested the following where Squid is listening on port 443 in accel mode.
>
> # echo "R" | openssl s_client -connect 192.168.101.2:443 2>&1 3>&1 | grep
>
>
> acl tls_s1_connect at_step SslBump1
>
> acl tls_vip_usersfill-in-your-details
>
> ssl_bump splicetls_vip_users # do not peek/bump vip users
> ssl_bump peek tls_s1_connect # peek at connections of other
> users
> ssl_bump stare all#
On 3/02/2017 1:22 a.m., Sergey Klusov wrote:
>
>> Date: Thu, 2 Feb 2017 03:46:44 +1300
>> From: Amos Jeffries
>>
>> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>>> Hello. I'm trying to get working transparent setup allowing only certain
>>> domains and have problem that in order to allow https
- Original Message -
From: Amos Jeffries
>
> Reason #1 is that the TLS protocol is a security protocol for securing a
> single 'hop' (just one TCP connection). So ideally TLS details would not
> be remembered at all, it's a dangerous thing in security to remember
The terminology may be confusing:
ssl_bump means more or less "looking at HTTPS traffic"
ssl_bump splice means "do not bump/intercept HTTPS traffic. No fake CA certificates
are used"
ssl_bump bumpmeans "bump/intercept HTTPS traffic and use a fake CA
certificate"
So the question is
Date: Thu, 2 Feb 2017 03:46:44 +1300
From: Amos Jeffries
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] transparent http and https filter with
white-list only
Message-ID: <1d01efe0-83f8-2a91-c0ac-fd8ef7692...@treenet.co.nz>
Content-Type:
I am with you on this. Unfortunately, the way a certain subject turns out
not easy for someone in school, so does ssl_bump to me!
On 2 February 2017 at 14:37, FredB wrote:
> Thanks Eliezer
>
> Unfortunately my "lan" is huge, many thousands of people, and MAC
> addresses are
Thanks Eliezer
Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are
not known
I'm very surprised, I'm alone with this ? Nobody needs to exclude some users
from SSLBump ?
Fredb
___
squid-users mailing list
Hello
I have a requirement that I need to restrict access to the squid proxy (
forward proxy ) using the client certificate. All client certificates are
available in the squid servers. Could any body help me on solving this.
Thanks
~S
___
Have you considered an external_acl that will help you to do this by the mac
address or by another way like a "bypass" portal?
With mac addresses DB you can know if the device is from one manufacturer or
another.
The hackers in your network will always find a way to bypass ssl bump
eventually
On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
> So we can't even use the free certs from letsencrypt with Squid??
>
Not for MITM / SSL-Bump no.
The very first clause of the purchase contract for the LetsEncrypt CA is:
"
By requesting, accepting, or using a Let’s Encrypt Certificate:
*
So we can't even use the free certs from letsencrypt with Squid??
On 2 February 2017 at 11:35, FredB wrote:
>
> From: http://wiki.squid-cache.org/Features/DynamicSslCert
>
> "In theory, you must either import your root certificate into browsers or
> instruct users on how to
From: http://wiki.squid-cache.org/Features/DynamicSslCert
"In theory, you must either import your root certificate into browsers or
instruct users on how to do that. Unfortunately, it is apparently a common
practice among well-known Root CAs to issue subordinate root certificates. If
you have
So how I can manage computers without my CA ? (eg: laptop temporary connected)
In my situation I have also some smartphones in some case, connected to my
squids, how I can exclude them from SSLBump ?
I have already some ACL based on authentication (user azerty = with/without
some rules)
29 matches
Mail list logo