[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Amos Jeffries
squid3 at treenet.co.nz
Sat Sep 26 22:25:59 UTC 2015
On 17/09/2015 7:18 p.m., Dieter Bloms wrote:
> here the ssl relevant part of my squid.conf
> --snip--
> http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_capath /etc/ssl/certs
> sslproxy_options NO_SSLv2:NO_SSLv3:ALL
I'm not sure if this is your problem, but the presence of "ALL" at the
end overrides the previous NO_SSLv2:NO_SSLv3 settings.
Better not to use "ALL", it enables a lot of known problematic
workarounds and hacks for obsolete software. But if you actually need
it, place it first then remove the bits you dont want. Same as what is
done below for ciphers.
> sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
> --snip--
>
> so it would be nice, if anybody with enabled sslbump on squid3.5.8 can
> do a GET Request to https://banking.postbank.de/ to see if that works.
>
(Sorry I cant help with the testing for bump, hopefully Marcus ad Alex
responses are useful there).
Amos
More information about the squid-users
mailing list