-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/11/2014 7:22 a.m., Vadim Rogoziansky wrote: > Hello All. > > My goal is to do ssl bumping in transparent proxy mode with domain > exclude possibility. Let me tell you about squid's strange > behaviour when I'm trying to do it. > > In browsers it says something like this: /This server could not > prove that it is www.ukr.net; its security certificate is > from212.42.76.253. This may be caused by a misconfiguration or an > attacker intercepting your connection.// > //NET::ERR_CERT_COMMON_NAME_INVALID// //Subject: 212.42.76.253// / > Looks like squid takes the CN from the certificate as IP address of > the destination domain.
Squid takes the IP address from the TCP packet. Which is all that is available in NAT intercepted traffic at bumping step #1. The ACLs you have therefore determine that "bump" action is to happen. Correct? The cert details are therefore mimic'ed from what gets delivered by the server. It may be that the server is depending on SNI to generate its own cert, but since Squid deos not have that domain name already an IP-based cert comes back. It may also be that some ISP upstream of you is bumping the encryption with client-first method. > But, everything works smoothly when I use proxy in non transparent > mode and put it to the browser directly . In which case the browser sends domain name to the proxy in its CONNECT message starting the HTTPS. The possible results are very different. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUdZ5sAAoJELJo5wb/XPRj0qIIANBjuFvq45hPmcaj/NYL6bza 7ttt5Gn+tn8E5KH7T4wfQhUXr91UIsYWfOswfnVAAlBevIO/iFVoDN5hAOveuhIl ra/0eGti1EpZ3LHJiAqmo0mHsrz3v9+PAduVrXgUJLyYDiM0xctg0nRhj2u166VX j0IL3g8CKEw+KiWVJM9HdLaDEz9fYtHBO8UHhKDDE94O9yxScIvB+GAhN4YlTtrE z65VJkSCEw+3vH6XcrrkF2aEnB20jeEGiV5puO2cPoJpgcg3ic8sMVEfa/Z1qwqa KCkj2XI28wBCIovCV+AfBhpvW0o8eVFbt4ESodLTmwjUvU+m8zxky/9cjO5kyLE= =kgug -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users