[squid-users] SSL Bump - Splice - Chrome error
Yuri Voinov
yvoinov at gmail.com
Mon Jan 4 11:12:59 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Not sure. I'm only bump Google for caching static content (and some
dynamic). In my setup I have much google-related traffic.
04.01.16 6:16, Alejandro Martinez пишет:
> Thanks again Yuri.
>
> I have tried blocking udp protocol on port 80 and 443 but without luck.
>
> Is it possible to make google sites work in transparent mode without
> bumping ? only splicing ?
>
> Thanks
>
>
> 2016-01-03 10:11 GMT-03:00 Alejandro Martinez <ajm.martinez at gmail.com>:
>
>> Sorry my corrector.
>> I want to say that i am going to check blocking quic proto.
>>
>> Sorry
>> El 03/01/2016 10:10, "Alejandro Martinez" <ajm.martinez at gmail.com>
>> escribió:
>>
>>> Yuri
>>>
>>> Thanks.
>>>
>>> I amor.gringaus to checkpoint blocking quic.
>>>
>>> I cant put ca cert into clients besarse I dont have access but I do not
>>> want to bump, Just allow almost everything and deny only a few sites.
>>>
>>> I Will tell you my result.
>>> El 03/01/2016 06:22, "Yuri Voinov" <yvoinov at gmail.com> escribió:
>>>
>>>> Sure,
>>>>
>>>> my config is quite different.
>>>>
>>>> Also - did you put cache CA cert into clients? And - did you block QUIC
>>>> in your infrastructure? As described here:
>>>>
>>>> http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol
>>>> ?
>>>>
>>>> 03.01.16 8:28, Alejandro Martinez пишет:
>>>>
>>>> Yuri
>>>>
>>>> Do you haber something diferent in your config?
>>>>
>>>> Thanks
>>>> El 02/01/2016 17:18, "Yuri Voinov" < <yvoinov at gmail.com>
>>>> yvoinov at gmail.com> escribió:
>>>>
>>>>>
> Don't think so.
>
> Google's HTTPS's works for me without any alerts in Chrome :) With
> bump! ;)
>
> 03.01.16 2:12, Nir Krakowski пишет:
> >>>>>> Its called certificate pinning: >
> https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > Nir. > > On
> Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez
> <ajm.martinez at gmail.com> <ajm.martinez at gmail.com> > wrote: > >> Hi
> all, >> >> I'm using squid 3.5.12. >> >> This is my relevant config: >> >>
> *http_port 881* >> *http_port 880 intercept* >> *https_port 843 intercept
> ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/etc/cert.pem key=* >>
> */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2 >>
>
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*
> >>>>>>> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s * >>
> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1 >>
> idle=1* >> >> *#### Denied Users* >> *acl equipos_denegados src
> "**/usr/local/squid/etc**/equipos_denegados"* >> *http_access deny
> equipos_denegados* >> *deny_info DENY equipos_denegados* >> >> *####
> Allowed users* >> *acl equipos_permitidos src
> "/**usr/local/squid/etc**/equipos_permitidos"* >> *http_access allow
> equipos_permitidos* >> *####* >> >> *#### Denied Sites* >> *acl
> sitios_denegados dstdomain "**/usr/local/squid/etc* >> */sitiosdenegados"*
> >>>>>>> *http_access deny sitios_denegados* >> *####* >> >> *####
Block HTTPS*
> >>>>>>> *acl blockhttps ssl::server_name "/**usr/local/squid/etc* >>
> */sitiosdenegados"* >> *ssl_bump terminate blockhttps* >> *ssl_bump splice
> equipos_permitidos* >> *ssl_bump peek all* >> *ssl_bump splice all* >>
> *####* >> >> *sslproxy_cert_error allow all* >> *sslproxy_flags
> DONT_VERIFY_PEER* >> *sslproxy_options NO_SSLv3:NO_SSLv2* >> >> >>
> Basically I'm using squid to allow everything and deniy some users (hosts)
> >>>>>>> and some sites (http and https). >> >> If I use IE or Firefox
(Win/Lin),
> everything works great, if I access a >> site via HTTP the user see a
> message and if he access via HTTPS the >> conecction is terminated and
> there is an error on the browser. >> >> But, If I access any google site
> using chrome (windows / linux) the sites >> are getting bumped (
> google.com, google.com.X youtube.com, etc) >> >> The browser complains
> with a "Your conecction is not private" and the >> certificate is my own
> certificate. >> >> I'm missing something ? >> >> I only what to splice
> everythng. >> >> Thanks >> >> >>
> _______________________________________________ >> squid-users mailing
list
> >>>>>>> squid-users at lists.squid-cache.org >>
> http://lists.squid-cache.org/listinfo/squid-users >> >> > > > >
> _______________________________________________ > squid-users mailing list
> >>>>>> squid-users at lists.squid-cache.org >
> http://lists.squid-cache.org/listinfo/squid-users
>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>>>>
>>>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWilO6AAoJENNXIZxhPexG4CQH/1LD3i6xIKQzenEOBB/1crBV
LfjDk2owqhX8QLyfCVaw56e1Km0SCIS7lTuAsBS9gDZLcu7Gnw1a1/zp8O+TWHbV
vQhbcrN71oIceuHJ3EKVB+a7lDJU1YpyRwQZErE3cjnpLzV1vVAr2LD8HUpAOvZd
HVnTQC2gf81jYxnsPNfcIt3a7qnmEec4fenTChJGEsfjEO1RznRjZtoB/VqSBxcO
WjRtVTSWiF2tLXRQ8hfwZYmBj7EMFNPFTQYbphE1Ujz+fCYPxR/ncNxcOKdEZCAX
Mu9CmmQ+q8HWg3GSBULoq4UkR28gVgRbDag3pWdKjGk8mQOtwjgW5u1c7tUzl4A=
=tvLZ
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160104/2f67984e/attachment.html>
More information about the squid-users
mailing list