- Original Message -
From: Amos Jeffries
>
> Reason #1 is that the TLS protocol is a security protocol for securing a
> single 'hop' (just one TCP connection). So ideally TLS details would not
> be remembered at all, it's a dangerous thing in security to remember
> details in the middl
I'm sorry to interrupt, gentlemen - but Microsoft does not use
certificate pinning in OWA?
01.02.2017 22:19, Amos Jeffries пишет:
> On 27/01/2017 9:31 p.m., Vieri wrote:
>>
>>
>>
>> - Original Message - From: Alex Rousskov
>>
>>
It's interesting to note that the following actually D
On 27/01/2017 9:31 p.m., Vieri wrote:
>
>
>
>
> - Original Message - From: Alex Rousskov
>
>
>>> It's interesting to note that the following actually DOES give
>>> more information (unsupported
>
>>> protocol):>
>> * If the server sent nothing, then Curl gave you potentially
>> incor
- Original Message -
From: Alex Rousskov
>> It's interesting to note that the following actually DOES give more
>> information (unsupported
>> protocol):>
> * If the server sent nothing, then Curl gave you potentially incorrect
> information (i.e., Curl is just _guessing_ what went
On 01/26/2017 03:16 AM, Vieri wrote:
> I'm guessing that it
> should be possible for Squid to tell OpenSSL to report what it
> actually said to the server without the need for an admin to do a
> traffic dump and analysis.
Your are correct, but, in most cases, it is a lot easier to dump and
analyz
- Original Message -
From: Alex Rousskov
> If my reconstruction of the events was correct, then OpenSSL supplied as
> much information as it could -- the "unsupported TLS/SSL versions" is
> _your_ conclusion based on the information that neither Squid nor
> OpenSSL had access to.
>
>
>>
On 01/25/2017 12:45 AM, Vieri wrote:
> From: Alex Rousskov
>> The peer at 10.215.144.21:443 accepted Squid connection and then closed
>> it, probably before sending anything to Squid
> It seems that Squid delegates SSL to OpenSSL and it's really too bad
> the latter can't be a little bit more verb
- Original Message -
From: Alex Rousskov
>
> The peer at 10.215.144.21:443 accepted Squid connection and then closed
> it, probably before sending anything to Squid
Thanks Alex.
I was lucky enough to try the following options in cache_peer:
ssloptions=NO_SSLv3,NO_SSLv2,NO_TLSv1_2,NO
On 01/24/2017 01:02 AM, Vieri wrote:
> 2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(139) read: FD 18 read 0 <= 65535
The peer at 10.215.144.21:443 accepted Squid connection and then closed
it, probably before sending anything to Squid (you did not show enough
FD 18 history to confirm that with certa
- Original Message -
From: Amos Jeffries
>
> You could try with a newer Squid version since the bio.cc code might be
> making something else happen in 3.5.23. If that still fails the 4.0 beta
> has different logic and far better debug info in this area.
Hi again,
I'm still strugglin
- Original Message -
From: Amos Jeffries
>
> You could try with a newer Squid version since the bio.cc code might be
> making something else happen in 3.5.23. If that still fails the 4.0 beta
> has different logic and far better debug info in this area.
I tried 3.5.23 and I finally g
On 01/20/2017 02:13 AM, Amos Jeffries wrote:
> The key part is the "Error negotiating SSL on FD 16:
> error::lib(0):func(0):reason(0) (5/0/0)"
>
> Which is OpenSSL's very obtuse way of telling Squid "an error
> rhappened". With no helpful details about what error it was.
Actually, this i
On 20/01/2017 10:44 p.m., Vieri wrote:
>
> - Original Message -
> From: Amos Jeffries
>
>> Firstly remove the ssloptions=ALL from your config.
>>
>
>> Traffic should be able to go through at that point.
>
> Thanks for the feedback.
>
> I tried it again, but this time with a non-OWA IIS
- Original Message -
From: Amos Jeffries
> Firstly remove the ssloptions=ALL from your config.
>
> Traffic should be able to go through at that point.
Thanks for the feedback.
I tried it again, but this time with a non-OWA IIS HTTPS server.
Here's the squid.conf:
https_port 10.2
On 20/01/2017 1:03 p.m., Vieri wrote:
> Hi,
>
> I'm trying to set up Squid as a reverse proxy on a host with IP address
> 10.215.144.91 so that web browsers can connect to it on port 443 and request
> pages from an OWA server at 10.215.144.21:443.
>
> I have this in my squid.conf:
>
> https_po
Hi,
I'm trying to set up Squid as a reverse proxy on a host with IP address
10.215.144.91 so that web browsers can connect to it on port 443 and request
pages from an OWA server at 10.215.144.21:443.
I have this in my squid.conf:
https_port 10.215.144.91:443 accel cert=/etc/ssl/squid/owa_cert.
16 matches
Mail list logo
