[squid-users] Why 3.5.0.4 generates mimicked certs with server IP only when bumping?

Daniel Greenwald dig at digcorp.net
Mon Jan 26 04:39:57 UTC 2015


Thank you Amos,
Based on your explanation I was able to make bumping work for transparent
with no browser errors in 3.5.1 by using the following. If I understand
correctly, this is actually whats required to mimic the behavior of pre 3.5
(sslbump server-first all) :

acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump server-first step2 all

Hope that helps Yuri or any one else with this issue.

PS So far this is working great for eg gmail.com which in previous version
would throw browser errors!

-----------
Daniel I Greenwald



On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov at gmail.com> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> How can that be?
>
> All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,
> other sites behaviour depending they (and browsers) settings.
>
> Is it possible to keep server-first behaviour in 3.5.x ?
>
> WBR, Yuri
>
> 09.01.2015 16:57, Amos Jeffries пишет:
> > On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
> >
> > > I have working production 3.4.10 with working ssl bumping.
> >
> > > Config was the same as working 3.4.10. I've just want to take a
> > > look on new release.
> >
> > > in squid.documented said, than backward compatibility server-first
> > > and none options for ssl_bump are kept.
> >
> > > But:
> >
> > > Neither works with old syntax, nor new.
> >
> > > Looks like target https hosts not resolved and bump got only IP.
> >
> > The config values are still accepted, but there is an extra bumping
> > stage now before the SNI is available.
> >
> > You are wanting to peek at stage 1 (to get the client SNI details) and
> > server-first/splice at stage 2 (using the domain). Otherwise All Squid
> > works with when intercepting are the TCP IPs.
> >
> > Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4
> WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP
> wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW
> 48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX
> a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff
> p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg=
> =OEZu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150125/ca8ee6de/attachment.html>


More information about the squid-users mailing list