[squid-users] Strange behaviour with Chrome (client OS = WinXP x64) ...

Sun Feb 1 19:30:41 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

02.02.2015 1:26, Walter H. пишет:
> On 01.02.2015 19:50, Yuri Voinov wrote:
>> 02.02.2015 0:46, Amos Jeffries пишет:
>>> On 2/02/2015 7:16 a.m., Yuri Voinov wrote:
>>>> 01.02.2015 23:48, Walter H. пишет:
>>>>> Hello,
>>> <snip>
>>>>> acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at
>>>> banking.ing-diba.at ebanking.easybank.at services.kepler.at
>>>> www.kepler.at www.rcb.at
>>>>> acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com
>>>>> ssl_bump none ssl_bump_domains_bankingsites
>>>>> ssl_bump none ssl_bump_domains_msftupdates
>>>>> ssl_bump server-first all
>>>> You do it wrong. You don't know site names BEFORE bump.
>>> No. His http_port settings are those which match a proxy being
>>> configured explicitly in the brower, which means CONNECT messages with
>>> domain name expected to be present.
>> Oh, of course. I compare it with my interception configuration. :)
>> But ip-based dst acl for bankings will works in any case. Just
>> pass-through banking IP without bump - and, viola! - they works.
>> Yes?
>>
> I have a few more lines before ssl-bump server-first all in my squid.conf
>
> acl ssl_bump_domains_none_list dstdomain
"/etc/squid/sslbumpnonedomains-list-acl.squid"
> acl ssl_bump_domains_none_regex dstdom_regex -i
"/etc/squid/sslbumpnonedomains-regex-acl.squid"
> acl ssl_bump_domains_clntfrst_list dstdomain
"/etc/squid/sslbumpclntfrstdomains-list-acl.squid"
> acl ssl_bump_domains_clntfrst_regex dstdom_regex -i
"/etc/squid/sslbumpclntfrstdomains-regex-acl.squid"
> ssl_bump none ssl_bump_domains_none_list
> ssl_bump none ssl_bump_domains_none_regex
> ssl_bump client-first ssl_bump_domains_clntfrst_list
> ssl_bump client-first ssl_bump_domains_clntfrst_regex
>
> and any host in one of these files is either not bumped or bumped with
client-first - google's domains are the FF problem, this is the workaround
Google domains not problem. For me. I have all root and intermediate
CA's and specify it to Squid when bumping. So, in my installation Google
domains bumps as usual.

>
>>>
>>> It might not be, which could be the problem. But that can only known by
>>> looking at the CONNECT request message itself.
>>>
>>> Amos
> attached is the certificate chain the is shown in Google Chrome of
this banking site, that makes problems ...
> by the way, without squid it is the same ..., why?
> what goes wrong?
>
> the reason why not bumping banking sites is the following:
> I have a VM that is used only for electronic banking, and there I
didn't install my CAs root and the SSL-bump CA certificate;
> so any SSL site that has nothing to do with banking will not work, and
that should it be;
Just dig it IP's and pass by IP with dst acl. This will works.
>
> Greetings,
> Walter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUzn7hAAoJENNXIZxhPexGqaAIAIyeBG8FbdihhsnLnOR6O7Rn
L+beP87cKKunKk+pE4CwusNFDuyk62k0wW3dnpj0pbJ2xe12hizJArcDQ+yFMfsD
oMUM9/wJBdwbwCnrXoVqVTuHXonxlsyU9F3Kv/t7mONquF8Qt0oRPhi6PdHj0EDo
zO4OWb0Jm7R0CN1PhAKYe8Ng6RyG94ojM2w5WNuS05yY2xF/UHSbx2NRfD58bOO8
VwB/DBKpGXO11j+2JitPOFLLPFndIJTCFMjk+e/R5XkujA2ngEXBJ24lL6eQbU9K
+jFzrlVkcWryIPmtENVhZqdU/X2zkIsn6VhzunMmrN75oGJYH3cthw3e1k3WoKs=
=e+ao
-----END PGP SIGNATURE-----