[squid-users] sahibinden.com fails with https bump
squid3 at treenet.co.nz
Tue May 10 11:29:50 UTC 2016
On 10/05/2016 10:34 p.m., turgut kalfaoğlu wrote:
> Hello everyone..
> My setup -- this is for speeding up the home ADSL..
> https_port 3129 intercept ssl-bump \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
> cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
> sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
Are you sure Squid is actually running this config file?
Where is the definition for this ACL you named "ssl::certDomainMismatch".
Note that name and type of ACL are different things. Name is a text
string usually assigned by you. Type is how and what it matches against
> sslproxy_cert_error allow all
TLS is security. Ignoring all security errors is not good.
> sslproxy_flags DONT_VERIFY_PEER
The above flag should not be used outside some very specific debugging
circumstances. It breaks the other config settings about what to do with
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 20 startup=3 idle=1
> ssl_bump server-first all
> This works well for facebook, gmail, google, and probably others..
> But https://sahibinden.com , whatever they are doing fails - the page
> appears broken.
> I tried broken_sites acl trick, did not help.
Two reasons possibly for that:
1) Order is important.
The exact ordering of the ssl_bump rules will determine which gets
applied. If "server-first all" is listed about "non broken_sites". Then
the broken sites workaround will never be attempted.
2) you are intercepting traffic.
This means that the destination server name is not available to either
of server-first or "none" ations. All you have to work with is the
server raw-IP presented by TCP layer.
You need to upgrade to the peek-and-splice configuration actions for
server name and other TLS detail based workarounds to be useful.
> acl broken_sites ssl::server_name .sahibinden.com
> acl broken_sites ssl::server_name image5.sahibinden.com
This second entry should not be. The top entry overlaps.
> acl broken_sites ssl::server_name .shbdn.com
> ssl_bump none broken_sites
> Does anyone have any ideas what else I can try?
Are you using the very latest 3.5.19 release?
If not please upgrade your Squid.
If you are please upgrade your config rules.
More information about the squid-users