Re: [squid-users] choose TLS version

On 3/02/2017 10:19 a.m., Vieri wrote: > Hi, > > Are the following two lines equivalent? > > https_port ... options=NO_SSLv3,NO_SSLv2,NO_TLSv1_1,NO_TLSv1 > > https_port ... tls-min-version=1.2 > Not quite. SSL is still handled specially by options=. The top line is equivalent to:

Re: [squid-users] heart beet between squid peers

On 02/02/2017 04:43 PM, salil GK wrote: > we provide an interface for the admin to set > whether forward proxy is enabled or not - and also specify which all > peers need to be involved in the squid chaining ( parent child ). If I > have say 4 machines - A,B,C and D. Admin can decide machine A

Re: [squid-users] DiskThreadsDiskFile::openDone squid 3.5.0.4

On Thu, Feb 2, 2017 at 3:51 PM, Amos Jeffries wrote: > On 3/02/2017 7:56 a.m., tmb...@gmail.com wrote: > > asnani_satish wrote > >> This happens when size specified in cache_mem >= cache_dir > >> Example: > >> cache_dir aufs /var/spool/squid 1000 32 512 > >>implies 1000

Re: [squid-users] DiskThreadsDiskFile::openDone squid 3.5.0.4

On 3/02/2017 7:56 a.m., tmb...@gmail.com wrote: > asnani_satish wrote >> This happens when size specified in cache_mem >= cache_dir >> Example: >> cache_dir aufs /var/spool/squid 1000 32 512 >>implies 1000 MB physical disk space allotted for cache in specified >> directory >> cache_mem 900

Re: [squid-users] heart beet between squid peers

Hello Alex Thanks for the reply what happens is - we provide an interface for the admin to set whether forward proxy is enabled or not - and also specify which all peers need to be involved in the squid chaining ( parent child ). If I have say 4 machines - A,B,C and D. Admin can decide

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

On 3/02/2017 1:43 a.m., angelv wrote: > On Thu, Feb 2, 2017 at 4:37 AM, Amos Jeffries wrote: > >> On 2/02/2017 9:49 p.m., Odhiambo Washington wrote: >>> So we can't even use the free certs from letsencrypt with Squid?? >>> >> >> Not for MITM / SSL-Bump no. >> >> The very

Re: [squid-users] Deny_Info

On 3/02/2017 3:16 a.m., creditu wrote: > I have seen the use of deny_info done a few ways in regard to the > placement of the htttp_access line: > > acl www dstdomain www.example.com > > deny_info http://www.other.com www > http_access deny www > > Or > > http_access deny www > deny_info

Re: [squid-users] DiskThreadsDiskFile::openDone squid 3.5.0.4

lol mostly of this ar wen vary changed lol wen they work on vary as it should be then most of those msg will go away not 100% but most of them im not going into detail but its the vary in header -- View this message in context:

Re: [squid-users] heart beet between squid peers

On 02/01/2017 12:06 AM, salil GK wrote: > I need to know whether the connectivity is through from squid > child to squid parent. ... > I need to know in both machines that the squid channel is active. ... > if the heartbeat is exchanged successfully !! It is not clear what you mean by

[squid-users] choose TLS version

Hi, Are the following two lines equivalent? https_port ... options=NO_SSLv3,NO_SSLv2,NO_TLSv1_1,NO_TLSv1 https_port ... tls-min-version=1.2 Thanks, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] DiskThreadsDiskFile::openDone squid 3.5.0.4

asnani_satish wrote > This happens when size specified in cache_mem >= cache_dir > Example: > cache_dir aufs /var/spool/squid 1000 32 512 >implies 1000 MB physical disk space allotted for cache in specified > directory > cache_mem 900 MB >cache size to be used by squid which must be less

Re: [squid-users] SSL_bump and source IP

You are not alone but you first need to define and understand your goals in a more technical way. Squid can understand HTTP TLS\SSL IP and LAYER 2 MAC address. If in one of these you can recognize that the client needs to be bypassed from SSL BUMP or interception in general you would be able to

Re: [squid-users] High utilization of CPU squid-3.5.23, squid-3.5.24

On 02.02.2017 00:45, Yuri Voinov wrote: Yes, it is require to perform extended diagnostics. Including the system level. BTW, it can also network IO. And, it is possible that even a slow DNS. Have to search. squid-3.5.23 or squid-3.5.24 with bug-4606-v3.patch

[squid-users] Deny_Info

I have seen the use of deny_info done a few ways in regard to the placement of the htttp_access line: acl www dstdomain www.example.com deny_info http://www.other.com www http_access deny www Or http_access deny www deny_info http://www.other.com www The example on the squid acl page uses the

Re: [squid-users] renegotiation

- Original Message - From: Amos Jeffries > Renegotiating to an insecure version or cipher set is an issue to be > fixed by configuring tls-min-version=1.Y and tls-options= disabling > unwanted ciphers etc. > > The potential DoS related to renegotiation is now

Re: [squid-users] renegotiation

On 3/02/2017 2:09 a.m., Vieri wrote: > Hi, > > I'm running Squid 4 beta. > > # squid -v > Squid Cache: Version 4.0.17-20170122-r14968 > > I tested the following where Squid is listening on port 443 in accel mode. > > # echo "R" | openssl s_client -connect 192.168.101.2:443 2>&1 3>&1 | grep >

Re: [squid-users] SSL_bump and source IP

> > acl tls_s1_connect at_step SslBump1 > > acl tls_vip_usersfill-in-your-details > > ssl_bump splicetls_vip_users # do not peek/bump vip users > ssl_bump peek tls_s1_connect # peek at connections of other > users > ssl_bump stare all#

Re: [squid-users] squid-users Digest, Vol 30, Issue 3

On 3/02/2017 1:22 a.m., Sergey Klusov wrote: > >> Date: Thu, 2 Feb 2017 03:46:44 +1300 >> From: Amos Jeffries >> >> On 28/01/2017 12:36 a.m., Sergey Klusov wrote: >>> Hello. I'm trying to get working transparent setup allowing only certain >>> domains and have problem that in order to allow https

Re: [squid-users] squid reverse proxy (accelerator) for MS Exchange OWA

- Original Message - From: Amos Jeffries > > Reason #1 is that the TLS protocol is a security protocol for securing a > single 'hop' (just one TCP connection). So ideally TLS details would not > be remembered at all, it's a dangerous thing in security to remember

Re: [squid-users] SSL_bump and source IP

The terminology may be confusing: ssl_bump means more or less "looking at HTTPS traffic" ssl_bump splice means "do not bump/intercept HTTPS traffic. No fake CA certificates are used" ssl_bump bumpmeans "bump/intercept HTTPS traffic and use a fake CA certificate" So the question is

Re: [squid-users] squid-users Digest, Vol 30, Issue 3

Date: Thu, 2 Feb 2017 03:46:44 +1300 From: Amos Jeffries To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] transparent http and https filter with white-list only Message-ID: <1d01efe0-83f8-2a91-c0ac-fd8ef7692...@treenet.co.nz> Content-Type:

Re: [squid-users] SSL_bump and source IP

I am with you on this. Unfortunately, the way a certain subject turns out not easy for someone in school, so does ssl_bump to me! On 2 February 2017 at 14:37, FredB wrote: > Thanks Eliezer > > Unfortunately my "lan" is huge, many thousands of people, and MAC > addresses are

Re: [squid-users] SSL_bump and source IP

Thanks Eliezer Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ? Fredb ___ squid-users mailing list

[squid-users] can I authenticate client based on their certificate

Hello I have a requirement that I need to restrict access to the squid proxy ( forward proxy ) using the client certificate. All client certificates are available in the squid servers. Could any body help me on solving this. Thanks ~S ___

Re: [squid-users] SSL_bump and source IP

Have you considered an external_acl that will help you to do this by the mac address or by another way like a "bypass" portal? With mac addresses DB you can know if the device is from one manufacturer or another. The hackers in your network will always find a way to bypass ssl bump eventually

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

On 2/02/2017 9:49 p.m., Odhiambo Washington wrote: > So we can't even use the free certs from letsencrypt with Squid?? > Not for MITM / SSL-Bump no. The very first clause of the purchase contract for the LetsEncrypt CA is: " By requesting, accepting, or using a Let’s Encrypt Certificate: *

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

So we can't even use the free certs from letsencrypt with Squid?? On 2 February 2017 at 11:35, FredB wrote: > > From: http://wiki.squid-cache.org/Features/DynamicSslCert > > "In theory, you must either import your root certificate into browsers or > instruct users on how to

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

From: http://wiki.squid-cache.org/Features/DynamicSslCert "In theory, you must either import your root certificate into browsers or instruct users on how to do that. Unfortunately, it is apparently a common practice among well-known Root CAs to issue subordinate root certificates. If you have

Re: [squid-users] SSL_bump and source IP

So how I can manage computers without my CA ? (eg: laptop temporary connected) In my situation I have also some smartphones in some case, connected to my squids, how I can exclude them from SSLBump ? I have already some ACL based on authentication (user azerty = with/without some rules)