[squid-users] SSL-bump certificate issues (mostly on Chrome, when accessing Google websites)

Amos Jeffries squid3 at treenet.co.nz
Fri Feb 6 09:17:31 UTC 2015


On 6/02/2015 9:32 p.m., Amos Jeffries wrote:
> On 6/02/2015 6:10 p.m., Luis Miguel Silva wrote:
>> Dear all,
>>
>> I recently compiled squid-3.4.9 with ssl-bump support and, although it is
>> working for the most part, I'm having some issues accessing some websites.
>>
>> The behavior is REALLY weird so I'm going to try and describe it the best I
>> can:
>> - If i access https://www.google.com/ in Chrome, I could see that it was
>> processing my certificate MOST of the times...
>> *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg
>> - some other times, it seemed to bypass my proxy altogether and I finally
>> figured out it was because Chrome will try to access QUIC enabled websites
>> using that protocol, so it would bypass my firewall redirect rules! I
>> believe I now have solved this by blocking FORWARDING traffic on port 443
>> udp...
> 
> reply_header_access Alternate-Protocol deny all
> 
> This was added by default in 3.5. Your report now is the final straw for
> me I'm backporting it to 3.4 now for adding in the next security release.

Meh, forgetful. Last straw was a while back. It's in 3.4.10 and later.

So ... "please upgrade to a current release", blah blah blah.

Amos



More information about the squid-users mailing list