[squid-users] sslBump adventures in enterprise production environment
Yuri Voinov
yvoinov at gmail.com
Tue Nov 17 19:10:09 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
17.11.15 15:46, Christos Tsantilas пишет:
> On 11/16/2015 08:00 AM, Eugene M. Zheganin wrote:
>> Hi.
>>
>> On 16.11.2015 00:14, Yuri Voinov wrote:
>>
>>> It's common knowledge. Squid is unable to pass an unknown protocol on
>>> the standard port. Consequently, the ability to proxy this protocol does
>>> not exist.
>>>
>>> If it was simply a tunneling ... It is not https. And not just
>>> HTTP-over-443. This is more complicated and very marginal protocol.
>>>
>> I'm really sorry to tell you that, but you are perfectly wrong. These
>> non-HTTPS tunnels have been working for years. And this isn't JTTPS
>> because of:
>>
>> # openssl s_client -connect login.icq.com:443
>> CONNECTED(00000003)
>> 34379270680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
>
> This is does not looks like an SSL protocol.
> It can not be used on SSL-bumping squid port.
We know. But this IM also don't work over simple forwarding
non-ssl-bumped Squid port too. BTW, why?
>
> The "on_unsupported_protocol" configuration parameter which exist on
squid-trunk and squid-4.x maybe is useful for your case.
Heh, back to future......
>
>
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 297 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>>
>> Eugene.
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWS3uQAAoJENNXIZxhPexGZj4H/1hfrEaDAQU2DSvOw8+IgIqx
TVhPxjdbd2eCEHC/UwEriG5QVT3H8O9Pe3itWr/WbfI5/5cp4XzBz15wLq5db9Md
qAPEdCCY9wxSoGEBTJ+oHtS9kvY8+YJS8I/KWPMaRdzeKbz79BnfXovblxwnhJa4
znTGJTl55jesHF/u7SkPZmGdBfN9y6fiJAuJY9Tj572NwkvdKVJ99hq8/QwsTjYU
aXHJk9evkptbNNZwApMZI4VLrfEph/MBJ2fK8wNVWZU8NOt1E86OhXBqPoe2tnum
8WDJxeT73XAhjSUziR17idTOSAuwYSEwjBE+5+YiHcV8UUt1aMtAnDXN0yRP1Mk=
=vkYq
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list