[squid-users] sslBump adventures in enterprise production environment
christos at chtsanti.net
Tue Nov 17 09:46:10 UTC 2015
On 11/16/2015 08:00 AM, Eugene M. Zheganin wrote:
> On 16.11.2015 00:14, Yuri Voinov wrote:
>> It's common knowledge. Squid is unable to pass an unknown protocol on
>> the standard port. Consequently, the ability to proxy this protocol does
>> not exist.
>> If it was simply a tunneling ... It is not https. And not just
>> HTTP-over-443. This is more complicated and very marginal protocol.
> I'm really sorry to tell you that, but you are perfectly wrong. These
> non-HTTPS tunnels have been working for years. And this isn't JTTPS
> because of:
> # openssl s_client -connect login.icq.com:443
> 34379270680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
This is does not looks like an SSL protocol.
It can not be used on SSL-bumping squid port.
The "on_unsupported_protocol" configuration parameter which exist on
squid-trunk and squid-4.x maybe is useful for your case.
> no peer certificate available
> No client certificate CA names sent
> SSL handshake has read 7 bytes and written 297 bytes
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
More information about the squid-users