[squid-users] ssl_bump problem with tw.bid.yahoo.com in transparent proxy
Yuri Voinov
yvoinov at gmail.com
Wed Apr 1 15:12:51 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
01.04.15 20:10, Vadim Rogoziansky пишет:
> Hello Yuri,
>
> I have the same problem with transparent proxy (can't bypass bad web
sites) and as I know squid guys did not fix SNI issue yet. Forward proxy
works smoothly.
This is the reason that I still use 3.4.12. Bug 4188 still not fixed.
> Tell me something if I was wrong)
>
> My configuration is following:
> /
> acl step1 at_step SslBump1//
> //ssl_bump stare step1 all//
> //acl sslBumpDeniedDstDomain dstdomain .google.com//
> //ssl_bump splice sslBumpDeniedDstDomain//
> //ssl_bump bump all//
> /
> And sqiud version is
> /Squid Cache: Version 3.5.3//
> //Service Name: squid//
> //configure options: '--with-openssl' '--enable-linux-netfilter'
'--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd'
'--prefix=/opt/squid' '--enable-external-acl-helpers=none'
'--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for'
'--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2'
'--enable-snmp'
'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience/
Looks like all ok.
>
> Regards
>
> On 4/1/2015 12:34 PM, Yuri Voinov wrote:
>>
> What version of Squid you are using?
>
> 01.04.15 13:06, Yu-Hsuan Liao пишет:
> > Hello Everyone,
>
> > I got 'ssl_error_bad_cert_domain' message from browser when I was
trying
> > to bump tw.bid.yahoo.com in transparent mode
>
> > I found that the certificate is signed to tw.otplogin.reg.yahoo.com,
which
> > should be signed to tw.bid.yahoo.com
>
> > but for now I can't bypass using the following configure:
>
> > acl yahoo_url tw.otplogin.reg.yahoo.com tw.bid.yahoo.com
> > ssl_bump none yahoo_url
>
> > yet everything is OK when I use forward proxy, the certificate is
correct
> > signed to tw.bid.yahoo.com
>
> > any ideas?
>
>
>
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVHArzAAoJENNXIZxhPexGuBsH/RYdXW7iKAbLz55Hfi/O7pJJ
ouPIZ5Gf+ApP/Aopt7/W433Uf6vudDI+xRsLfbmlPa8rdp18+wczCCbTRr7PP3uv
ULErMqaDdm5TEUTFXvR1i9XJt4I0zAcp9npRGGa4Xi9dVTQB5n7xCnL+freKT+KB
mE7VVOSBq+yq8E2+7khNRS68B5bgvuhMWdh/2pbWNvT83zwSt692R/VPq7H8rkZY
MDP8j19LaBeuvI9HIB8saPtQA0/0ptgvrwHNzTGHTPhYJJhaZsWWW35J+yj7U7Jh
hy84Pm+/xzEdEaP0j2qReBU8D38XWYuYc8BOmRTOHI1gdf8Yep0sS28W8+7xiAQ=
=S3+z
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150401/ad2e08fe/attachment.html>
More information about the squid-users
mailing list