[squid-users] ssl_bump problem with tw.bid.yahoo.com in transparent proxy
Vadim Rogoziansky
vrogoziansky.squid at gmail.com
Wed Apr 1 14:10:39 UTC 2015
Hello Yuri,
I have the same problem with transparent proxy (can't bypass bad web
sites) and as I know squid guys did not fix SNI issue yet. Forward proxy
works smoothly.
Tell me something if I was wrong)
My configuration is following:
/
acl step1 at_step SslBump1//
//ssl_bump stare step1 all//
//acl sslBumpDeniedDstDomain dstdomain .google.com//
//ssl_bump splice sslBumpDeniedDstDomain//
//ssl_bump bump all//
/
And sqiud version is
/Squid Cache: Version 3.5.3//
//Service Name: squid//
//configure options: '--with-openssl' '--enable-linux-netfilter'
'--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd'
'--prefix=/opt/squid' '--enable-external-acl-helpers=none'
'--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for'
'--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2'
'--enable-snmp'
'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience/
Regards
On 4/1/2015 12:34 PM, Yuri Voinov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> What version of Squid you are using?
>
> 01.04.15 13:06, Yu-Hsuan Liao пишет:
> > Hello Everyone,
> >
> > I got 'ssl_error_bad_cert_domain' message from browser when I was
> trying
> > to bump tw.bid.yahoo.com in transparent mode
> >
> > I found that the certificate is signed to tw.otplogin.reg.yahoo.com,
> which
> > should be signed to tw.bid.yahoo.com
> >
> > but for now I can't bypass using the following configure:
> >
> > acl yahoo_url tw.otplogin.reg.yahoo.com tw.bid.yahoo.com
> > ssl_bump none yahoo_url
> >
> > yet everything is OK when I use forward proxy, the certificate is
> correct
> > signed to tw.bid.yahoo.com
> >
> > any ideas?
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVG7u1AAoJENNXIZxhPexGiZwH/19TdE+jGhb29JPXqvf1cVqv
> HAjmuq7nj9dQt/SmW2CM+rPeS6pgHuJIH2/rVsxU/ydbDhuomNBmOuZyhguaUBM0
> xke1UBjHFbPsTHczfmlaW3/q+V1wg1BJ0Le8lNnJ4dZMxH5rK/O6L0zb6HwS7SMJ
> Nn15VpqGWY6cESWMvV3ZYrdQ2dgiQRO9CEQkpXSAy5xV4C+5B4L10FfsN1JeMPZF
> NZ/trRZFpZha2cQk65zYE4oBuiT137I4EKv+ldLu3uWhkGS8oqKSiPxjSmckzjhw
> jFUONqSKGOxbT4HSBQSjZgmEvPLg/HKlVR99eH+Vyc/kOfGh7rt63bQ6AUYM3Jc=
> =+MVl
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150401/d78d3766/attachment.html>
More information about the squid-users
mailing list