again (I have never seen this before) I'll be sure
to do the debugging thang.
On Tue, Feb 22, 2022 at 3:16 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 2/20/22 20:43, Jason Haar wrote:
>
> > I've noticed that the Internet ipv6 is not quite as reliable as ipv
what's going on there? thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squi
ability?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squi
please *don't*
> CC me.
> _______
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> __
f Of Amos Jeffries
> Sent: Monday, July 31, 2017 13:22
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] dumb question: how to get http server IP into
> logs?
>
> On 30/07/17 22:02, Jason Haar wrote:
> > Hi there
> >
> > We're running squid-3.5.2
that by default?
(DIRECT/1.2.3.4?). All our logs are now "HIER_DIRECT"
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-use
t to avoid as
I believe it has no future due to pinning.
Off to upgrade to 3.5.22 :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_
is more secure over cleartext - but it's
also noticeably slower than Basic over latency links, so you can choose
your poison there
If you're really keen, you can actually do proxy-over-TLS via WPAD with
Firefox/Chrome - at which point I'd definitely recommend Basic for the
performance reasons ;-)
lls block it so as to force it to tcp/443 - but you're
implying there are yet more alternatives?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
sponse to a public
> records request, do not send electronic mail to this entity. Instead,
> contact this office by phone or in writing.
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid
5
acl SSL_https port 443
ssl_bump splice SSL_https
On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
vitoantonio.smald...@istruzione.it> wrote:
> Hi all,
> great, i'm just searching for this. Jason can you kindly post the whole
> squid.conf?
> Thanks
> V
>
>
to
this simplest case for the moment and avoid the "peek" call
Thanks!
Jason
On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
> On 21/03/2016 10:29 a.m., Jason Haar wrote:
> > Hi there
> >
> > I'm wanting to use tls intercept to just log (well
intercept basically ditches
the tcp/443 connection - which is as good as it gets without getting into
the wonderful world of real "bump"
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE
HTTP.
>
> You need to go looking for a SOCKS proxy.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navig
traffic
instead of https specific?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid
anyone figured out how to get
squid-4 working on such older systems?
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
y like content
filtering proxies find it hard to keep up as they have become the enemy
(because they can be used for evil as well as good).
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9
ITY ALERT: Host header forgery
detected on local=192.30.252.92:443 remote=192.168.0.7:46647 FD 275
flags=33 (local IP does not match any domain IP)
2016/01/12 13:03:59.200 kid1| SECURITY ALERT: on URL: live.github.com:443
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigati
e scraping are you also filtering for duplicates and reducing
> multiple URLs in one doman down to fewer entries?
Yeah - no dupes - but no manually reading to figure out patterns
either. That would take a human eye - and I want set-and-forget automation
--
Cheers
Jason Haar
Corporate Informa
acl type - so regex it is (can't use
dstdomain because we want to block "http://good.site/bad.url; - not all
of "good.site")
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2
1sec). I'd say "outsourcing" this kind of
function to another process (such as url_rewriter or ICAP) still has
it's advantages ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7
files
that allowed for rapid searching for matches - is this done within squid
now? (presumably it wasn't some time ago?). If so, is that done in
memory or via the acl files? (ala SG) - the former means a much slower
squid startup?
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, T
On 06/01/16 17:39, Amos Jeffries wrote:
> On 6/01/2016 5:04 p.m., Jason Haar wrote:
>> Hi there
>>
>> Weird - several times in the past couple of months I have found I cannot
>> get to http://wiki.squid-cache.org/ - I get the error below from my
>> squid-3.5.11 se
request again.
Your cache administrator is webmaster.
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing lis
at what cache.log says about
> the state of the request that is being checked and failing.
I think we know what the problem is: TOR is making TLS connections (I
don't know if they're HTTPS) on port 443 and uses SNI names that aren't
real?
--
Cheers
Jason Haar
Corporate Information Security Manager
acl SSL_https port 443
ssl_bump splice SSL_https
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
signature.asc
Description: OpenPGP digital signat
ssfully used TOR, it must have cached a bunch of
things because I then re-enabled intercept and it's no longer making any
tcp/443 connections - it goes straight out on other "native" TOR ports.
So it may be this can only be tested on a fresh install (or after some
cache timeout period)
--
ient browser.
Could that be DNS? Is the server configured to use valid DNS servers?
Check each of them yourself to see what their response times are like, eg
time nslookup some.valid.site.that.isn't.in.cache
maybe you'll see 2sec show up on one of them...
--
Cheers
Jason Haar
Corporate Informat
On 15/10/15 14:25, Amos Jeffries wrote:
> All those lines imply is a certificate verify problem inside the SSL
> library.
Would it be possible to put the ip:port in those error messages? Would
certainly help answer those questions...
--
Cheers
Jason Haar
Corporate Information Security M
>>> server-first SSL bumping.
>>>>>>
>>>>>> I’m using Squid 3.5.10 and this is my current config:
>>>>>> https://gist.github.com/djch/9b883580c6ee84f31cd1
>>>>>>
>>>>>> Anyone have any idea what I can
splice !SNIpresent
ssl_bump splice NoSSLIntercept
ssl_bump bump is_ssl
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
s
t; k=/System/Library/Keychains/X509Anchors
> /dev/null 2>&1 || true
The "ipsec/smime" stuff is actually not needed - but I don't care ;-) I
went for the carpet bombing approach for the Mac (which I don't know well)
--
Cheers
Jason Haar
Corporate Information Security Manager, Tr
the CAs used
by those sites - thus causing the problem you see? Certainly matches the
symptoms
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 84
ly (ie I'm making sure revoked certs are never
bumped)
But this is a bug in squid - this means untrustworthy certs become
trusted again - not a good look
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6
ally got anything to do with the CA itself)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing l
.
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http
and
there's no obvious signs of a cert error - so I can't figure out what is
going wrong. I've manually downloaded the server cert using "openssl
s_client" and the cert chain validates just fine - so what is squid
doing to it? Weird...
--
Cheers
Jason Haar
Corporate Information Securi
.v.x.+!..n..J@9.[.J.C.1.L5.(.%%..9..
Signature Algorithm: sha256WithRSAEncryption
Fake:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd
900 ); Negative Cache TTL
> ;
> @INNS dns1.cmb.emprea.com
> <http://dns1.cmb.emprea.com>.
> @INMX 10 webmail.cmb.emprea.com
> <http://webmail.cmb.emprea.com>.
> ...
> proxyIN A 192.168.0.69
> wpadIN
g format, log parsers would skip all
PEEKED/CONNECT lines as redundant (although they're useful for us humans)
Yeah, it would break existing logging tools - but so does the "GET
https://...; stuff anyway - so they need updating too ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager,
ept is bleak
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-ca
)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid
On 20/08/15 12:42, Jason Haar wrote:
So now I can:
1. ###dynamically whitelist/splice non-SNI traffic via it's existence
(commented because it didn't work - ended up splicing everything)
Figured that one out: .* is a file - .* is a regex :-)
--
Cheers
Jason Haar
Corporate Information
who bash their way through multiple layers
of browser warning popups/etc in order to get infected are out of scope ;-)
Thanks again for your help Alex. Hopefully this conversation will be
useful for others. TLS intercept is a bit of a step up in complexity
over standard TCP ;-)
--
Cheers
Jason
is
useful)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http
On 6/07/15 2:01 am, Walter H. wrote:
reply_header_access Public-Key-Pins deny all
but this doesn't really work; is there another way?
If you think you can override all pinning options, then I'm afraid
you're mistaken. Well written security apps should do their darndest to
stop TLS intercept
to mind
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http
www.site.name as the SNI)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
On 21/06/15 10:45, Antony Stone wrote:
The former - squid does the download and passes the content to ICAP.
Great. So squid does all the network calls and ICAP simply gets to
review the content (request and/or response) and potentially change it.
Perfect :-)
Thanks!
--
Cheers
Jason Haar
, ipv6
support,etc)
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users
optional)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http
.
Yeah - windows firewall is a major pain. Better to turn the darn thing
off and rely on something else
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
looking at making that work in
transparent mode. And you *definitely* want ssl_crtd.
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
intercept :-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http
are correct
ie this smells like you actually do have ipv6 enabled, but it's broken
in some subtle way (like the pmtu issue Amos mentioned)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422
with tools like traceroute whose
behaviour *might* mimic that which squid is doing and instead use
tcpdump to actually *see* what squid is doing. Anyone running network
services has got to become proficient in the use of network sniffers -
they are invaluable
--
Cheers
Jason Haar
Corporate
), then their options
are extremely limited
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid
content filtering of HTTPS (because the bad guys are deliberately
putting more and more malware onto HTTPS websites), and yet on the other
hand we all want some things to be private.
Bring back RFC3514, then all of this would be easy!!!
--
Cheers
Jason Haar
Corporate Information Security
code.
Jason
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
(although it took me a few minutes to realise I have to sniff port
3129 [which I redirected 443 onto] as well as 443 to get the full tcp
session)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F
this work :-(
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
(we're still on 3.1) supports chunked before getting back to them (and
yes we have already asked them how to test it and they don't know: sigh
- users!!!)
Thanks!
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E
to the success of transparent HTTPS
bumping? (ie is it because there wasn't a SNI hostname)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
about me mentioning Chrome, it's just that I know Google
designed Chrome to use the same OS settings that MSIE does when it can -
so any bug/issue with those libraries could affect Chrome if they affect
MSIE)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd
into squid? I think you'd find you'd
need an external acl check to do that bit anyway :-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
the cracks for all I care ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users
isn't the outcome we're after.
I'm going to have to look at squid-3.5 ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
However, you say SSL - did you mean HTTPS? ie discovering a ip:port
is a IMAPS server doesn't really help squid talk to it - surely you want
to discover HTTPS servers - and everything else should be
pass-through/splice?
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation
correct and
eyeballed as good) and simply didn't work as a transparent proxy! As
it was only 1 of 3, we had some sites worked, some didn't. :-)
Fixed ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6
traffic? Can TPROXY be used over WCCP?
Thanks!
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
the same thing using client certs and will
probably use stunnel (instead of laying the SCCM server bare-assed on
the Internet)
Jason
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D
staff to use (authenticated of course!) - WPAD makes that something
we could implement with no client changes - pretty cool :-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D
::runOnce() ()
#26 0x00593e48 in EventLoop::run() ()
#27 0x00613e48 in SquidMain(int, char**) ()
#28 0x006147d8 in main ()
(gdb) quit
A debugging session is active.
Inferior 1 [process 29756] will be killed.
Quit anyway? (y or n) y
--
Cheers
Jason Haar
Corporate
should fix the crash.
Amos
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users
/-1/0)
At the very least, with that I could have a cronjob grep through my
cache.log to auto-create a bump none acl ;-)
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D
be like me and
purely interested in using sslbump for enabling SSL content filtering,
and I really doubt we'll be seeing many viruses via client-cert
protected https any time soon ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP
test it and report any problem.
Regards,
Christos
On 10/16/2014 12:14 PM, Amm wrote:
On 10/16/2014 02:35 PM, Jason Haar wrote:
On 16/10/14 20:54, Jason Haar wrote:
I also checked the ssl_db/certs dir and
removed the facebook certs and restarted - didn't help
let me rephrase that. I
+Sign=signTrusted is valid
2014/10/16 18:40:17.956 kid1| ctx: enter level 0: 'www.facebook.com:443'
2014/10/16 18:40:17.956 kid1| HttpHeader.cc(1531) ~HttpHeaderEntry:
destroying entry 0x30c0810: 'Host: www.facebook.com:443'
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble
On 16/10/14 20:54, Jason Haar wrote:
I also checked the ssl_db/certs dir and
removed the facebook certs and restarted - didn't help
let me rephrase that. I deleted the dirtree and re-ran ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -c - ie restarted with an empty cache.
It didn't help. It created
/
so this means the CA's Ubuntu lists in /etc/ssl/certs/ is out of date
compared with Firefox?
Really a rhetorical question, just kinda wanting to know about where
sslbump will run into trouble, etc :-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1
them?
Thanks!
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
cert and instead has been relying on
manually providing an override on each fake cert will suddenly find
their apps have broken as the cert has changed, hence my question
regarding how to detect which certs need replacing and only replacing
those ones
--
Cheers
Jason Haar
Corporate Information
Thanks for that, shouldn't squid be listed there as an ICAP client?
On 19/08/14 17:56, Amos Jeffries wrote:
http://www.icap-forum.org/icap?do=productsisServer=checked
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint
Hi there
I've been testing out squidclamav as an ICAP service and it works well.
I was wondering what other AV vendors have (linux) ICAP-capable
offerings that could similarly be hooked into Squid?
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd
.
Unfortunately, as far as I'm aware, the only browser that supports proxy
connections over SSL is Chrome/Chromium. Firefox *almost* is ready to
support it - but not yet
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407
Googling apache x-forwarded-for led me to mod_extract_forwarded
http://www.openinfo.co.uk/apache/
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
,
squid-3.1.10 and newer work fine if the ipv6 address allocated to a site
is up and responding, but cause issues if it is not
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
motivations are justified, but diametrically opposed)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
...and just as an addendum, telnet shows the kind of behaviour I'd
expect to see from squid
telnet cs.co 80
Trying 2001:4800:13c1:10:222:19ff:fe00:cbb...
Trying 67.192.93.178...
Connected to cs.co.
Escape character is '^]'.
On 28/07/14 10:35, Jason Haar wrote:
Hi there
I'm seeing
self-signed certs, and the
proxy gets to see into the content, potentially running AVs over
content/etc.
...or haven't I looked hard enough and this is already an option? :-)
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP
Henrik Nordstrom wrote:
ons 2008-04-09 klockan 16:34 +1200 skrev Jason Haar:
Seems to work well - but there's no indication of how long an IP would
end up blacklisted if it occurred.
Well, they would earn back 1k/s when idle, until their pool is full
again.
But you probably should
really after - but we don't want daily outages just to reset the
stats...
Thanks, this is with squid-2.6STABLE17 under CentOS
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063
93 matches
Mail list logo