[squid-users] ssl_crtd breaks after short time

James Lay jlay at slave-tothe-box.net
Wed Jun 10 13:18:56 UTC 2015 

On Tue, 2015-06-09 at 21:39 +0200, Klavs Klavsen wrote:

> Amos Jeffries wrote on 2015-06-09 17:10:
> [CUT]
> > You have to first configure ssl_bump in a way that lets Squid receive
> > the clientHello message (step1 -> peek) AND the serverHello message
> > (step2 -> peek). Then you can use those cert details to bump (step3 ->
> > bump).
> > The config is quite simple:
> >   ssl_bump peek all
> >   ssl_bump bump all
> > 
> I have this:
> ssl_bump peek step1 broken
> ssl_bump peek step2 broken
> ssl_bump splice broken
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> ssl_bump bump all
> 
> > 
> > But there are cases like the client is resuming a previous TLS session
> > where there is no certificates involved. Squid cannot do anything, so it
> > automatically splices (3.5.4+ at least do). Or if you have configured
> > your Squid in a way that there are no mutually supported ciphers.
> > 
> 
> My client is curl.. I don't think that its caching any TLS sessions.
> 
> > 
> > It may just be your ssl_bump rules. But given that this is a google
> > domain there is a strong chance that you are encountering one of those
> > special case.
> >
> I'd like squid to disallow queries where it cannot see what domain name
> / url is going to be accessed.
> 
> I'd like all GET/POST etc. requests to go through squid - so they are
> controlled by the normal http_access rules as http (intercepted) is
> currently.
> 
> This worked with 3.4.12 :( (but only for 30 minutes or less)
> 
> You saw my full config.. how is it supposed to look with 3.5.5, for this
> to work as it did with 3.4.12 ?
> 
> sorry I'm a bit frustrated.. I can't seem to grasp what changed from
> 3.4.12 to 3.5.5, which means I suddenly can't filter https traffic
> anymore :(
> 


Gents,

I'm going to spin this off into a new thread..."Filtering http and https
traffic" sometime later today.  I have some questions, and maybe
solutions.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150610/cff98f29/attachment.html>

More information about the squid-users mailing list