Hi Amos, Thanks for your explanation. Could you instruct me how to install squid v5 based on CentOS 7? Based on url https://wiki.squid-cache.org/SquidFaq/BinaryPackages#KnowledgeBase.2FCentOS.Stable_Repository_Package_.28like_epel-release.29, CentOS seems not support squid v5.
BR, Michael Amos Jeffries <squ...@treenet.co.nz> 於 2020年3月20日 週五 下午5:29寫道: > On 20/03/20 8:27 pm, Michael Chen wrote: > > Hi Amos, > > May I know which function Squid v3.5.28 cannot do for my scenario? > > Because Squid v3.5 still has command of cache_peer and ssl ..... > > > > TLS is a volatile environment, with many changes going on constantly. > Squid-3 has been deprecated since 2018 and is far behind in support > needed for current TLS practices. > > Especially when bumping you should always have the latest Squid version. > > > This first bit can be tested with Squid-3. It is just about getting a > secure connection to the peer, any Squid should be able to do that. > > Ensure that the peer proxy is delivering its CA *chain* properly. > * All the intermediates should be supplied during the server handshake. > * cache_peer should only need the root CA for that chain. Configured in > the sslca= or tls-ca= option. > > At this point your Squid should be able to pass traffic to the peer. > Test that with regular http:// URL requests to your Squid. *Not* HTTPS > or bumped traffic. > > > You can test this following with Squid-3, but do not expect it to work > very well. Squid-4 is better in a lot of cases, but still not completely. > > Your ssl_bump rules should peek at the client cert, then stare at the > server cert, then bump the crypto. Like so: > > ssl_bump peek step1 > ssl_bump stare all > ssl_bump bump all > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
