[squid-users] ***SPAM*** Re: Random SSL bump DB corruption

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 10 02:03:51 UTC 2015


On 10/04/2015 2:14 a.m., Stakres wrote:
> Yuri,
> 
>  
> 
> We’re trying that :
> 
> -          Tproxy
> 
> -          ssl_bump bump all
> 
> does not work.
> 
>  
> 
> We have followed the squid wiki regarding iptables rules, sysctl, etc…
> 
> Instead “ssl_bump bump all”, if we use “ssl_bump server-first all” , it works, the https is decrypted.
> 
>  
> 
> So is the tproxy compatible with the new squid 3.5.x ssl_bump options ?

With intercept / tproxy you may need to peek first to get the
ClientHello details. Those are needed not just for any ssl_bump
directive ACLs, but also for generating the correct ClientHello to be
delivered to the server. Without it Squid only has the raw-IP details
from TCP to work with.

Amos


More information about the squid-users mailing list