Hello guys,
I have a question about bumping and SNI. Is it supported now in squid 3.5?
What do I have:
Debian Linux
squid 3.5.2
Config for SSL transparent interception is the following:
https_port 10.10.115.7:3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Transparent interception in 3.5 still not completely supports SNI.
Only in 3.4.x branch.
And yes - you do it wrong in your config:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
05.03.15 17:53, Sergey Pronin пишет:
> Hello guys
Hi,
were there any improvements in squid 3.5 recently?
I've tried peek-n-spice again in 3.5.4, but again transparent proxy for
hosts using SNI is not working properly.
My config for ssl-bump is the following:
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.
On 20/05/2015 1:12 a.m., sp_ wrote:
> Hi,
>
> were there any improvements in squid 3.5 recently?
> I've tried peek-n-spice again in 3.5.4, but again transparent proxy for
> hosts using SNI is not working properly.
>
> My config for ssl-bump is the following:
>
>
> acl step1 at_step SslBump1
>
Hello Amos,
I still get IP-addresses instead of domain names:
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671299.html
Sent from the Squid - Users mailing list archive at Nabble.com.
__
On 20/05/2015 8:22 p.m., sp_ wrote:
> Hello Amos,
>
> I still get IP-addresses instead of domain names:
>
That appears to be because the request are just denied. Not peeked or
spliced.
When a new TCP connection is intercepted Squid starts with only the IP
address. Generates a fake CONNECT reque
I have tried to remove all the restrictions, but still:
-SP
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671306.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Hi,
check something like this
acl step1 at_step SslBump1
ssl_bump stare step1 all
acl sslBumpDeniedDstDomain ssl::server_name google.com
ssl_bump splice sslBumpDeniedDstDomain
ssl_bump bump all
On 5/20/2015 2:33 PM, sp_ wrote:
I have tried to remove all the restrictions, but still:
-SP
Hi Vadim,
I've tried using these options - did not help.
I've even tried to add %rd to logs, but still, IPs are show:
Vadim Rogoziansky wrote
> Hi,
>
> check something like this
>
> acl step1 at_step SslBump1
> ssl_bump stare step1 all
>
> acl sslBumpDeniedDstDomain ssl::server_name google
Hello,
does anyone have the working squid 3.5 with intercept + https?
I've googled a lot, but seems there is no any positive experience with it.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
Sent from the Squid - Us
Yes, I have it working on about a dozen deployments so far, using an
external ACL to make bumping decisions based on the SNI server name and a
few other things. No complaints from me, it Just Works.
On 29/05/2015 5:50 pm, "sp_" wrote:
> Hello,
>
> does anyone have the working squid 3.5 with inter
On 2015-05-29 08:57 AM, Nathan Hoad wrote:
Yes, I have it working on about a dozen deployments so far, using an
external ACL to make bumping decisions based on the SNI server name
and a few other things. No complaints from me, it Just Works.
On 29/05/2015 5:50 pm, "sp_" wrote:
Hello,
does any
Hello,
Here are some excerpts of what I've used, and an example Python helper:
https_port 60099 intercept ssl-bump tcpkeepalive
cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3
generate-host-certificates=on
external_acl_type sni ttl=30 concurrency=X children-max=Y
children-s
On Mon, 2015-06-01 at 12:12 +1000, Nathan Hoad wrote:
> Hello,
>
> Here are some excerpts of what I've used, and an example Python helper:
>
> https_port 60099 intercept ssl-bump tcpkeepalive
> cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3
> generate-host-certificates=on
Hello Nathan,
thank you for an example.
What version of squid are you running?
Mine is:
I've tried to apply the config you've posted, but with no luck. Squid can't
get the domain:
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207
On 4/06/2015 2:27 a.m., sp_ wrote:
> Hello Nathan,
>
> thank you for an example.
>
> What version of squid are you running?
> Mine is:
>
>
> I've tried to apply the config you've posted, but with no luck. Squid can't
> get the domain:
>
>
Well, its not a simple situation. Lets start with cla
Hello Amos,
thank you for your reply.
Let's take for instance this line:
I have dumped the traffic passing through the interface on the router during
this request.
In client hello in Extension "server_name" I can see the domain:
According to RFC, domain is a must in Client Hello, when SNI is
On 4/06/2015 6:29 p.m., sp_ wrote:
> Hello Amos,
>
> thank you for your reply.
>
> Let's take for instance this line:
>
> 192.168.78.31 - - [04/Jun/2015:09:41:22 +0300] "CONNECT 173.194.122.233:443
> HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE
>
>
> I have dumped the traffic passing through
18 matches
Mail list logo
