[squid-users] SSL Bump - Splice - Chrome error

Nir Krakowski nir.kra at gmail.com
Sat Jan 2 20:12:14 UTC 2016 

Its called certificate pinning:
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Nir.

On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez <ajm.martinez at gmail.com>
wrote:

> Hi all,
>
> I'm using squid 3.5.12.
>
> This is my relevant config:
>
> *http_port 881*
> *http_port 880 intercept*
> *https_port 843 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem key=*
> */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2
> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*
> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s *
> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1
> idle=1*
>
> *#### Denied Users*
> *acl equipos_denegados src "**/usr/local/squid/etc**/equipos_denegados"*
> *http_access deny equipos_denegados*
> *deny_info DENY equipos_denegados*
>
> *#### Allowed users*
> *acl equipos_permitidos src "/**usr/local/squid/etc**/equipos_permitidos"*
> *http_access allow equipos_permitidos*
> *####*
>
> *#### Denied Sites*
> *acl sitios_denegados dstdomain "**/usr/local/squid/etc*
> */sitiosdenegados"*
> *http_access deny sitios_denegados*
> *####*
>
> *#### Block HTTPS*
> *acl blockhttps ssl::server_name  "/**usr/local/squid/etc*
> */sitiosdenegados"*
> *ssl_bump terminate blockhttps*
> *ssl_bump splice equipos_permitidos*
> *ssl_bump peek all*
> *ssl_bump splice all*
> *####*
>
> *sslproxy_cert_error allow all*
> *sslproxy_flags DONT_VERIFY_PEER*
> *sslproxy_options NO_SSLv3:NO_SSLv2*
>
>
> Basically I'm using squid to allow everything and deniy some users (hosts)
> and some sites (http and https).
>
> If I use IE or Firefox (Win/Lin), everything works great, if I access a
> site via HTTP the user see a message and if he access via HTTPS the
> conecction is terminated and there is an error on the browser.
>
> But, If I access any google site using chrome (windows / linux) the sites
> are getting bumped (google.com, google.com.X youtube.com, etc)
>
> The browser complains with a "Your conecction is not private" and the
> certificate is my own certificate.
>
> I'm missing something ?
>
> I only what to splice everythng.
>
> Thanks
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160102/f68d21c7/attachment.html>

More information about the squid-users mailing list