[squid-users] Why 3.5.0.4 generates mimicked certs with server IP only when bumping?
Yuri Voinov
yvoinov at gmail.com
Fri Jan 9 19:51:25 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
How can that be?
All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,
other sites behaviour depending they (and browsers) settings.
Is it possible to keep server-first behaviour in 3.5.x ?
WBR, Yuri
09.01.2015 16:57, Amos Jeffries пишет:
> On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
>
> > I have working production 3.4.10 with working ssl bumping.
>
> > Config was the same as working 3.4.10. I've just want to take a
> > look on new release.
>
> > in squid.documented said, than backward compatibility server-first
> > and none options for ssl_bump are kept.
>
> > But:
>
> > Neither works with old syntax, nor new.
>
> > Looks like target https hosts not resolved and bump got only IP.
>
> The config values are still accepted, but there is an extra bumping
> stage now before the SNI is available.
>
> You are wanting to peek at stage 1 (to get the client SNI details) and
> server-first/splice at stage 2 (using the domain). Otherwise All Squid
> works with when intercepting are the TCP IPs.
>
> Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4
WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP
wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW
48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX
a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff
p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg=
=OEZu
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list